[Samba] Help with configuration of winbind and idmap backend = ad

Thomas Ruth truth at ichaos.com
Thu Jul 16 22:54:44 MDT 2009 

Hello all,

I have an interesting situation that I'm trying to get working. At this
point, I'm not sure if it's possible to do what I want with my
configuration. I will start by explaining my situation.

I have a primarily windows network in my organization. I also have quite
a few UNIX systems as build servers. All these systems share 1 file
server (currently a Netapp, but I am moving to a Linux system with
Samba/NFS).

All users on my network have AD accounts. Only about 25% of those users
also have UNIX accounts. They have the same username. I installed SFU on
our domain controllers and ran a script against our NIS and
automatically populated all Windows users with UNIX accounts with the
msSFU30* information from NIS.

Now the problem I'm having. I can start winbind, but "getent passwd"
won't reveal any information from Active Directory. I have set the
winbind and idmap debug level to 10, and I see entries like this in
winbind.log:

[2009/07/16 16:01:15, 10] winbindd/idmap_util.c:idmap_sid_to_uid(104)
  idmap_sid_to_uid: sid = [S-1-5-21-3961909960-354130599-1050854057-3065]
[2009/07/16 16:01:15, 10] winbindd/idmap_cache.c:idmap_cache_map_sid(349)
  Cache entry with key =
IDMAP/SID/S-1-5-21-3961909960-354130599-1050854057-3065
 couldn't be found
[2009/07/16 16:01:15, 10]
winbindd/idmap.c:idmap_backends_sids_to_unixids(1191)
  Query backends to map sids->ids
[2009/07/16 16:01:15, 10]
winbindd/idmap.c:idmap_backends_sids_to_unixids(1216)
  SID S-1-5-21-3961909960-354130599-1050854057-3065 is being handled by BLUE
[2009/07/16 16:01:15, 10]
winbindd/idmap.c:idmap_backends_sids_to_unixids(1237)
  Query ids from domain BLUE
[2009/07/16 16:01:15,  7]
winbindd/idmap_ad.c:ad_idmap_cached_connection_interna
l(76)
  Current tickets expire in 36077 seconds (at 1247817752, time is now
1247781675
)
[2009/07/16 16:01:15, 10] winbindd/idmap_ad.c:idmap_ad_sids_to_unixids(544)
  Filter:
[(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountTy
pe=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\
01\05\00\00\00\00\00\05\15\00\00\00\C8\F2\25\EC\A7\9A\1B\15\A9\C2\A2\3E\F9\0B\00
\00)))]
[2009/07/16 16:01:15, 10] winbindd/idmap_ad.c:idmap_ad_sids_to_unixids(632)
  Mapped S-1-5-21-3961909960-354130599-1050854057-3065 -> 40256 (1)
[2009/07/16 16:01:15, 10] winbindd/idmap_cache.c:idmap_cache_set(150)
  Adding cache entry with key =
IDMAP/SID/S-1-5-21-3961909960-354130599-10508540
57-3065; value =   1247782575/IDMAP/UID/40256 and timeout = Thu Jul 16
16:16:15
2009
   (900 seconds ahead)
[2009/07/16 16:01:15, 10] winbindd/idmap_cache.c:idmap_cache_set(172)
  Adding cache entry with key = IDMAP/UID/40256; value =
1247782575/IDMAP/SID/
S-1-5-21-3961909960-354130599-1050854057-3065 and timeout = Thu Jul 16
16:16:15
2009
   (900 seconds ahead)
[2009/07/16 16:01:15, 10] winbindd/idmap_util.c:idmap_sid_to_gid(144)
  idmap_sid_to_gid: sid = [S-1-5-21-3961909960-354130599-1050854057-513]
[2009/07/16 16:01:15, 10] winbindd/idmap_util.c:idmap_sid_to_gid(163)
  sid [S-1-5-21-3961909960-354130599-1050854057-513] not mapped to a gid
[2,2]
[2009/07/16 16:01:15,  1] winbindd/winbindd_user.c:winbindd_fill_pwent(92)
  error getting group id for sid
S-1-5-21-3961909960-354130599-1050854057-513
[2009/07/16 16:01:15,  1] winbindd/winbindd_user.c:winbindd_getpwent(766)
  could not lookup domain user truth

I have a tcpdump, and it shows that the query it's performing is
returning the msSFU30GidNumber attribute (value 11). I'm unsure why it's
unable to locate my group ID. I also have created a group with that same
ID in Active Directory.

The configuration I'm using to get the above results is as follows:

idmap domains = default BLUE
idmap config BLUE:backend = ad
idmap config BLUE:default = yes
idmap config BLUE:schema_mode = sfu

idmap config default:backend = rid
idmap config default:base_rid = 300000

idmap uid = 100000-200000
idmap gid = 100000-200000
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
template homedir = /mnt/rw_rd_variable_data/homes/home/%U
template shell = /sbin/nologin
winbind use default domain = yes

The group name for the SID it's attempting to look up above, is
"BLUE\Domain Users 2".

The behavior I'm looking for is:

I would like windows users that create files on my samba shares to have
a matching NIS userid/groupid if they have a UNIX account. Otherwise, I
would like the Samba server to use the rid method to assign this user a
UID/GID (This way, it's the same on my other 2 file servers as well).

If I'm going about this all wrong, I would appreciate a pointer in the
right direction.

This system is running samba 3.2.10 on a 64-bit Openfiler distribution.

Thanks for any help you can provide,

Tom

More information about the samba mailing list