[Samba] Problem to map uidNumber and getting authentication to work

Jason Gerfen jason.gerfen at scl.utah.edu
Tue Nov 17 09:09:08 MST 2009 

Timo Aaltonen wrote:
> On Mon, 21 Sep 2009, Timo Aaltonen wrote:
>
>>
>>
>>     Hi!
>>
>>  I'm trying to set up a samba client to authenticate from AD 
>> (Win2k8), by using rfc2307 schema mode to map uidNumber, gidNumber 
>> and unixHomeDirectory. The latter two seem to work, while uidNumber 
>> doesn't, at least according to 'wbinfo -i $uid', which shows the uid 
>> as the default starting point '10000'.
>>
>> Another problem is that getent passwd/group doesn't work at all, and 
>> because of that neither does authentication ('wbinfo -a/-K' works). I 
>> _do_ have winbind on /etc/nsswitch.conf though, so I'm pretty much 
>> out of ideas about what's missing..
>>
>> my smb.conf:
>>
>> [global]
>>  workgroup = SHORTREALM
>>  realm = REALM
>>  security = ads
>>  use kerberos keytab = true
>>  idmap config SHORTREALM:schema_mode = rfc2307
>>  idmap config SHORTREALM:backend = ad
>>  idmap config SHORTREAlM:readonly = yes
>>  winbind nss info = rfc2307
>>  winbind use default domain = yes
>>
>>
>> I'm using Ubuntu 9.04 with samba 3.3.2, but I tried a backported 
>> 3.4.0 and it had the same problem.
>
> Anyone? Apparently this works on RHEL5 with samba 3.0.x, so it's a 
> regression if it doesn't work with anything newer..
>
>
Have you tried to look up the users SID to UID mapping?
%> wbinfo -n USER
S-1-5-21-2868754479-89028146-2101856903-111873 User (1)

%> wbinfo -S S-1-5-21-2868754479-89028146-2101856903-111873
Could not convert sid S-1-5-21-2868754479-89028146-2101856903-111873 to uid

In the logs you would see things like this:

[2008/05/28 09:50:04, 10] 
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
 Retrieving response for pid 24973
[2008/05/28 09:50:04, 5] 
nsswitch/winbindd_async.c:winbindd_sid2uid_recv(347)
 sid2uid returned an error

Or in log.winbindd-idmap

[2008/05/28 09:50:51, 10] nsswitch/winbindd_dual.c:child_process_request(479)
  process_request: request fn DUAL_SID2UID
[2008/05/28 09:50:51, 3] nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374)
  [24634]: sid to uid S-1-5-21-2868754479-89028146-2101856903-111473
[2008/05/28 09:50:51, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(105)
  idmap_sid_to_uid: sid = [S-1-5-21-2868754479-89028146-2101856903-111473]
[2008/05/28 09:50:51, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(125)
  sid [S-1-5-21-2868754479-89028146-2101856903-111473] not mapped to an uid [2,1,2213796440]

If this is the case you would want to add the POSIX compliant attributes for each user. Here is the process in case this is the problem
1. Create a ldiff for each user similar to the following:
dn: CN=User name,OU=container,DC=server,DC=com
changetype: modify
replace: msSFUName
msSFUName: user **(this must be something without spaces)
--
modify: unixHomeDirectory
unixHomeDirectory: /path/to/home
--
modify: msSFUHomeDirectory
msSFUHomeDirectory: /path/to/home
--
modify: uidNumber
uidNumber: 888
--
modify: gidNumber
gidNumber: 500
--
modify: loginShell
loginShell: /bin/bash

2. Create another ldiff to modify the DN schema object attribute like the following:

dn: CN=User name,OU=container,DC=server,DC=comchangetype: modrdn
newrdn: CN=user **(this must also be something without spaces)
deleteoldrdn: 1

3. Then use the ldapmodify tool on the ldif files like so:
%> ldapmodify -x -D "CN=Administrator,CN=Users,DC=server,DC=com" -w "password" -h server.com -p 389 -f filename.ldif

If you need a script to automatically process any account which gives an 
error with the wbinfo commands let me know. It is perl and requires the 
wbinfo, ldapsearch and ldapmodify tools.

-- 
Jas

More information about the samba mailing list