[Samba] winbind problems

Waltari Harri Harri.Waltari at deltamarin.com
Wed Sep 17 13:20:24 GMT 2008


Folks,

I do have a couple of problems I hope you could help to solve. I have
searched the net, but had little success of finding documentation about
samba 3.2 and AD. I do have Win server 2003 domain and AD in native
mode. The new samba server should be a member server in the domain. The
idea is to have same UIDs as the RIDs in the AD.

The enviroment is as follows.
Sernet packaged samba 3.2.3-37
MIT kerberos 1.6.1-25.el5
CentOS 5.2

Here's the smb.conf
---snip---
[global]
        workgroup = NNNN
        printing = cups
        printcap name = cups
        load printers = no
        realm = NNNN.LOCAL
        security = ads
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        allow trusted domains = no
        idmap domains = NNNN
        idmap config NNNN:default = yes
        idmap config NNNN:backend = rid
        idmap config NNNN:range = 100-200000
        ifmap config NNNN:base_rid = 0
---snip---

Kerberos information is resolved via DNS, and to my knowledge this works
OK. So, I have not made any changes in the /etc/krb5.conf as was
instructed in Samba documentation. Kinit tests do return what they
should return.
Ntp is configured and running OK.

Now the questions.

What is the low limit of idmap range? When it is set to 0, information
is not anymore returned from the AD. I do ask this because it would be
convinient to have the uid to be _exactly_ same as the RID. The
difference could cause human mistakes one day. By using LDAP and idmap
backend=ADS, of course, would make the problem go away, but I'll stick
to RID. KISS.
Is there something I have missed?

Does using "winbind enum ..." affect functionality somehow, like
performance-wise? Only difference I've noticed is that "getent xxx" does
not return AD users or groups, but eg. "getent group ad-group" does.
Still, setting permissions works for AD users. Are there any other
implications if it is left out?

Then the logs are filled with these, or similar lines
log.winbindd
[2008/09/16 14:03:42,  1] libsmb/clientgen.c:cli_rpc_pipe_close(559)
  cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0xa to
machine dc1.nnnn.local.  Error was SUCCESS - 0

and...
[2008/09/16 14:03:31,  0] lib/util_sid.c:string_to_sid(247)
  string_to_sid: Sid S-1-0 is not in a valid format.

I do understand from various sources in the net that this latter one is
not something to worry about, but for cosmetical reasons I like to have
it disappear. 

Maybe solving these log entries are both FAQ-material?


-- 
Harri


More information about the samba mailing list