[Samba] [SOLVED] Re: idmap_ad not returning correct UID under 3.3.1

Bryan McLellan btm at loftninjas.org
Mon Mar 9 18:33:32 GMT 2009

Two stumbling blocks here, the idmap cache, and the new configuration syntax.

On Fri, Mar 6, 2009 at 9:16 PM, Bryan McLellan <btm at loftninjas.org> wrote:
> From winbindd -i -s /etc/samba/smb.conf -d10 -n

1) -n does not disable the idmap cache
2) I eventually found this data cached in /var/run/samba/gencache.tdb

Which I had to dig through the source to figure out. I would have
expected it in /var/cache/samba/winbindd_cache.tdb, or
/var/lib/samba/winbindd_idmap.tdb. I realized the FHS layout is likely
debian/ubuntu specific, but it was less than clear which file I should
be clearing.

> I see some interesting errors about being unable to find domain '*'
> which I'll attach to the end. Perhaps this is part of the new support
> of idmap_ad for multiple domains? Has configuration changed and the
> man pages not been updated perhaps, where one has to specify a domain
> to use specifically due to this feature?

Once I deleted the cache I got back to where I started from with the
user not being found. Which made the configuration easier to test by
deleting all the cache's and running winbindd -i -d10 -n and running
it through tee to parse the logs, like

rm /var/run/samba/gencache.tdb && winbindd -i -d10 -n -s
/etc/samba/smb.test.conf | tee /tmp/winbind.log

The 'idmap backend' section of smb.conf(5) makes the solution more
clear at this point. Don't use 'idmap backend' for ad any longer and
only use 'idmap config' commands.

security = ADS
server string = %h server (Samba %v)
workgroup = WM
idmap config WM : backend = ad
idmap config WM  : schema_mode = rfc2307
idmap config WM  : range = 1000-20000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
template shell = /bin/bash
template homedir = /home/%U
allow trusted domains = No

More information about the samba mailing list