[Samba] winbind and samba 3.2.7

Harry Jede walk2sun at arcor.de
Thu Jan 15 16:33:53 GMT 2009

Hi all,

I'm using Samba 3.2.7 with openldap 2.4.13 and have problems with

If winbindd is started, he needs two minutes, until he is responding
to queries. That makes it hard to debug problems. May be winbindd 
is waiting for WINS answers?

The problem,
the man page says this:

ldap group suffix (G)
This parameter specifies the suffix that is used for groups when these 
are added to the LDAP directory. If this parameter is unset, the value 
of ldap suffix will be used instead.

But this is not true, or I have a mistake in my configuration.

The LDAP-Search ist done with scope=2 (sub). 2 Posix Entries are found
and resolved to sambaSid correctly. Then the SIDs are searched and this
search use the base from "ldap user suffix".

The result is, that instead of finding 2 users in 2 different OUs,
only 1 user is found.

So, is this a bug?
Is the man page wrong?

The problem is shown here, in the slapd.log.

slapd[27069]: conn=484 op=68 SRCH base="dc=schule,dc=xx" scope=2 deref=3 filter="(&(uid=domain administratoren)(objectClass=sambaSamAccount))"
slapd[27069]: conn=484 op=68 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber
slapd[27069]: conn=484 op=68 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[27069]: conn=484 op=69 SRCH base="o=SCHULE,dc=schule,dc=xx" scope=2 deref=3 filter="(&(objectClass=sambaGroupMapping)(|(displayName=domain administratoren)(cn=domain administratoren)))"
slapd[27069]: conn=484 op=69 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
slapd[27069]: conn=484 op=69 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[27069]: conn=484 op=70 SRCH base="ou=SCHUELER,o=SCHULE,dc=schule,dc=xx" scope=2 deref=3 filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-512)))"
slapd[27069]: conn=484 op=70 SRCH attr=uid sambaSid
slapd[27069]: conn=484 op=70 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[27069]: conn=484 op=71 SRCH base="o=SCHULE,dc=schule,dc=xx" scope=2 deref=3 filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-512)))"
slapd[27069]: conn=484 op=71 SRCH attr=cn displayName sambaSid sambaGroupType
slapd[27069]: conn=484 op=71 SEARCH RESULT tag=101 err=0 nentries=1 text=

slapd[27069]: conn=486 op=13 SRCH base="o=SCHULE,dc=schule,dc=xx" scope=2 deref=3 filter="(&(objectClass=posixGroup)(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-512))"
slapd[27069]: conn=486 op=13 SRCH attr=memberUid gidNumber
slapd[27069]: conn=486 op=13 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[27069]: conn=486 op=14 SRCH base="dc=schule,dc=xx" scope=2 deref=3 filter="(&(objectClass=sambaSamAccount)(|(uid=atom)(uid=auge)))"
slapd[27069]: conn=486 op=14 SRCH attr=sambaSID
slapd[27069]: conn=486 op=14 SEARCH RESULT tag=101 err=0 nentries=2 text=
slapd[27069]: conn=486 op=15 SRCH base="dc=schule,dc=xx" scope=2 deref=3 filter="(&(objectClass=sambaSamAccount)(gidNumber=9009))"
slapd[27069]: conn=486 op=15 SRCH attr=sambaSID
slapd[27069]: conn=486 op=15 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[27069]: conn=486 op=16 SRCH base="ou=SCHUELER,o=SCHULE,dc=schule,dc=xx" scope=2 deref=3 filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-5000)(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-1004)))"
slapd[27069]: conn=486 op=16 SRCH attr=uid sambaSid
slapd[27069]: conn=486 op=16 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[27069]: conn=486 op=17 SRCH base="o=SCHULE,dc=schule,dc=xx" scope=2 deref=3 filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-5000)(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-1004)))"
slapd[27069]: conn=486 op=17 SRCH attr=cn displayName sambaSid sambaGroupType
slapd[27069]: conn=486 op=17 SEARCH RESULT tag=101 err=0 nentries=0 text=

        unix charset = LOCALE
        workgroup = SCHULE
        netbios name = SERVER-1
        server string = %h server
        interfaces =,
        bind interfaces only = Yes
        security = user
        name resolve order = wins bcast host
        passdb backend = ldapsam
        ldapsam:trusted = yes
        ldapsam:editposix = yes
        lanman auth = Yes
        syslog = 0
        max log size = 1000
        log level = 0
        log file = /var/log/samba/log.%m
        log file = /var/log/samba/log.%U

        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p -a "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"

        logon script = logon.bat
        logon drive = L:
        logon path = \\%L\Profiles\%U
        logon home = \\%L\%U
        domain logons = Yes
        domain master = Yes
        local master = yes
        preferred master =yes
        os level = 254
        wins support = Yes
        ldap admin dn = cn=admin,dc=schule,dc=xx
        ldap delete dn = Yes
        ldap machine suffix = ou=ARBEITSSTATIONEN,o=SCHULE
        ldap passwd sync = Yes
        ldap suffix = dc=schule,dc=xx
        ldap user suffix = ou=SCHUELER,o=SCHULE
        ldap group suffix = o=SCHULE
        ldap machine suffix = ou=ARBEITSSTATIONEN,o=SCHULE
        ldap debug level = 160
        panic action = /usr/share/samba/panic-action %d
        idmap domains = ALLE
        idmap config ALLE:backend = ldap
        idmap config ALLE:default = yes
        idmap config ALLE:ldap_base_dn = ou=idmaps,o=SYSTEM,dc=schule,dc=xx
        idmap config ALLE:ldap_url     = ldap://localhost/
   winbind nested groups = yes
   winbind separator = /
        template shell = /bin/bash
        template homedir = /home/%g/%U
        ea support = Yes
        store dos attributes = Yes


	Harry Jede

More information about the samba mailing list