[Samba] Problem to map uidNumber and getting authentication to work

Jason Gerfen jason.gerfen at scl.utah.edu
Tue Nov 17 09:09:08 MST 2009

Timo Aaltonen wrote:
> On Mon, 21 Sep 2009, Timo Aaltonen wrote:
>>     Hi!
>>  I'm trying to set up a samba client to authenticate from AD 
>> (Win2k8), by using rfc2307 schema mode to map uidNumber, gidNumber 
>> and unixHomeDirectory. The latter two seem to work, while uidNumber 
>> doesn't, at least according to 'wbinfo -i $uid', which shows the uid 
>> as the default starting point '10000'.
>> Another problem is that getent passwd/group doesn't work at all, and 
>> because of that neither does authentication ('wbinfo -a/-K' works). I 
>> _do_ have winbind on /etc/nsswitch.conf though, so I'm pretty much 
>> out of ideas about what's missing..
>> my smb.conf:
>> [global]
>>  workgroup = SHORTREALM
>>  realm = REALM
>>  security = ads
>>  use kerberos keytab = true
>>  idmap config SHORTREALM:schema_mode = rfc2307
>>  idmap config SHORTREALM:backend = ad
>>  idmap config SHORTREAlM:readonly = yes
>>  winbind nss info = rfc2307
>>  winbind use default domain = yes
>> I'm using Ubuntu 9.04 with samba 3.3.2, but I tried a backported 
>> 3.4.0 and it had the same problem.
> Anyone? Apparently this works on RHEL5 with samba 3.0.x, so it's a 
> regression if it doesn't work with anything newer..
Have you tried to look up the users SID to UID mapping?
%> wbinfo -n USER
S-1-5-21-2868754479-89028146-2101856903-111873 User (1)

%> wbinfo -S S-1-5-21-2868754479-89028146-2101856903-111873
Could not convert sid S-1-5-21-2868754479-89028146-2101856903-111873 to uid

In the logs you would see things like this:

[2008/05/28 09:50:04, 10] 
 Retrieving response for pid 24973
[2008/05/28 09:50:04, 5] 
 sid2uid returned an error

Or in log.winbindd-idmap

[2008/05/28 09:50:51, 10] nsswitch/winbindd_dual.c:child_process_request(479)
  process_request: request fn DUAL_SID2UID
[2008/05/28 09:50:51, 3] nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374)
  [24634]: sid to uid S-1-5-21-2868754479-89028146-2101856903-111473
[2008/05/28 09:50:51, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(105)
  idmap_sid_to_uid: sid = [S-1-5-21-2868754479-89028146-2101856903-111473]
[2008/05/28 09:50:51, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(125)
  sid [S-1-5-21-2868754479-89028146-2101856903-111473] not mapped to an uid [2,1,2213796440]

If this is the case you would want to add the POSIX compliant attributes for each user. Here is the process in case this is the problem
1. Create a ldiff for each user similar to the following:
dn: CN=User name,OU=container,DC=server,DC=com
changetype: modify
replace: msSFUName
msSFUName: user **(this must be something without spaces)
modify: unixHomeDirectory
unixHomeDirectory: /path/to/home
modify: msSFUHomeDirectory
msSFUHomeDirectory: /path/to/home
modify: uidNumber
uidNumber: 888
modify: gidNumber
gidNumber: 500
modify: loginShell
loginShell: /bin/bash

2. Create another ldiff to modify the DN schema object attribute like the following:

dn: CN=User name,OU=container,DC=server,DC=comchangetype: modrdn
newrdn: CN=user **(this must also be something without spaces)
deleteoldrdn: 1

3. Then use the ldapmodify tool on the ldif files like so:
%> ldapmodify -x -D "CN=Administrator,CN=Users,DC=server,DC=com" -w "password" -h server.com -p 389 -f filename.ldif

If you need a script to automatically process any account which gives an 
error with the wbinfo commands let me know. It is perl and requires the 
wbinfo, ldapsearch and ldapmodify tools.


More information about the samba mailing list