[Samba] Windows server 2003 SP2, SFU 3.5 and Samba 3.0.28

Petteri Heinonen petteri.heinonen at sasken.com
Sat Mar 21 21:09:26 GMT 2009 

Hello list users,

I have been struggling with this combination in the subject field couple
of days now, so I decided to ask for some advice here. Hopefully someone
can point me to a right direction. The ultimate goal for me is to
authenticate users using AD, so that the UID/GID values configured for
users with SFU would also be in use in all our Linux machines. My
understanding is that using correctly configured winbind + pam +
nsswitch should produce the desired result.

I have been able to join a Linux box to our Windows server 2003 hosted
domain, but getting user/group info out of AD seems to cause some
trouble. I have been mostly experimenting with wbinfo tool. Running
"wbinfo -i someuser" results in "Could not get info for user someuser",
with logs as below.

One specific question which has been troubling me is that what should be
the value in for winbind nss info? Googling has revealed that the two
possibilities are "sfu" and "rfc2307". But I haven't been able to find
any decent documentation about when sfu should be used and when rfc2307.
Are these somehow related to what SFU version is in use at the AD side?

- Regards, Petteri Heinonen

log.winbindd:

[2009/03/21 22:59:04, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 18
[2009/03/21 22:59:04, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [ 1876]: request interface version
[2009/03/21 22:59:04, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [ 1876]: request location of privileged pipe
[2009/03/21 22:59:04, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 19
[2009/03/21 22:59:04, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
  [ 1876]: getpwnam someuser
[2009/03/21 22:59:05, 5]
nsswitch/winbindd_async.c:winbindd_sid2uid_recv(347)
  sid2uid returned an error
[2009/03/21 22:59:05, 5]
nsswitch/winbindd_user.c:getpwsid_sid2uid_recv(266)
  Could not query uid for user DOMAIN\someuser

log.winbindd-idmap:

[2009/03/21 22:59:04, 4]
nsswitch/winbindd_dual.c:fork_domain_child(1065)
  child daemon request 48
[2009/03/21 22:59:04, 3]
nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374)
  [ 1862]: sid to uid S-1-5-21-2285760618-1546780000-830142390-7708
[2009/03/21 22:59:04, 7]
nsswitch/idmap_ad.c:ad_idmap_cached_connection_internal(77)
  Current tickets expire in 35425 seconds (at 1237704569, time is now
1237669144)
[2009/03/21 22:59:05, 5]
libads/ldap_utils.c:ads_do_search_retry_internal(64)
  Search for
(|(attributeId=1.3.6.1.1.1.1.0)(attributeId=1.3.6.1.1.1.1.1)(attributeId
=1.3.6.1.1.1.1.3)(attributeId=1.3.6.1.1.1.1.4)(attributeId=1.3.6.1.1.1.1
.2)) in <CN=Schema,CN=Configuration,DC=bothi,DC=fi> gave 0 replies
[2009/03/21 22:59:05, 3]
libads/ldap_schema.c:ads_check_posix_schema_mapping(243)
  ads_check_posix_schema_mapping: failed NT_STATUS_NONE_MAPPED
[2009/03/21 22:59:05, 2]
nsswitch/idmap_ad.c:ad_idmap_cached_connection(152)
  ad_idmap_cached_connection: Failed to obtain schema details!
[2009/03/21 22:59:05, 1]
nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(514)
  ADS uninitialized
[2009/03/21 22:59:05, 2]
nsswitch/idmap.c:idmap_backends_sids_to_unixids(1163)
  ERROR: NTSTATUS = 0xc0000001

smb.conf:

[global]
   # general part
   security = ADS
   interfaces = eth0
   realm = DOMAIN.FI
   workgroup = DOMAIN
   netbios name = LUPUS
   domain master = no
   local master = no
   preferred master = no
   server string = %h
   encrypt passwords = yes
   wins support = no
   wins server = ad1.domain.fi
   use kerberos keytab = yes
   password server = ad1.domain.fi

   # logging
   log level = 8
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0

   # disable printing
   load printers = no
   printing = bsd
   printcap name = /dev/null
   show add printer wizard = no
   disable spoolss = yes

   #winbind
   winbind enum users = no
   winbind enum groups = no
   winbind use default domain = yes
   winbind nested groups = yes
   winbind separator = +
   winbind nss info = rfc2307
   winbind cache time = 120
   idmap backend = ad
   idmap uid = 2000-20000
   idmap gid = 2000-20000
   template shell = /bin/bash
   template homedir = /home/%D/%U
   client use spnego = yes

SASKEN BUSINESS DISCLAIMER
-------------------------
This message may contain confidential, proprietary or legally privileged information. In 
case you are not the original intended Recipient of the message, you must not, directly or 
indirectly, use, Disclose, distribute, print, or copy any part of this message and you are 
requested to delete it and inform the sender. Any views expressed in this message are 
those of the individual sender unless otherwise stated. Nothing contained in this message 
shall be construed as an offer or acceptance of any offer by Sasken Communication 
Technologies Limited ("Sasken") unless sent with that express intent and with due 
authority of Sasken. Sasken has taken enough precautions to prevent the spread of 
viruses. However the company accepts no liability for any damage caused by any virus 
transmitted by this email

More information about the samba mailing list