[Samba] Samba ADS on AIX 6.1 TL04

Yashpal Nagar yashnagar at gmail.com
Thu Apr 29 05:35:13 MDT 2010

On Wed, Apr 28, 2010 at 12:29 AM, William Jojo <w.jojo at hvcc.edu> wrote:
> Sorry about that. All of my package were initially 32-bit, then I offered the 64-bit code as >BETA for about 6 months, and after  some testing and feedback from users, I marked it as >production quality. The Samba Team makes no guarantees whatsoever on what I produce. >This is simply a statement of usability.
> I will remove that line from the site.

I thought some more information should be provided, which shall help
visitors clearly if  they can use 64bit samba into the production.

>>  3. After changing mehtods.cfg, user file, Is there any program need to be restarted apart from samba or server reboot?
> The most you may need to do is stop Samba and run "slibclean", then restart Samba.

I have installed samba 3.4.3, 32bit

Path: /usr/lib/objrepos
  pware53.base.rte   COMMITTED  pWare base for 5.3
  pware53.bdb.rte   COMMITTED  Berkeley DB 4.7.25
  pware53.cyrus-sasl.rte  COMMITTED  cyrus-sasl 2.1.23
  pware53.gettext.rte  COMMITTED  GNU gettext 0.17
  pware53.krb5.rte   COMMITTED  MIT Kerberos 1.7.1
  pware53.libiconv.rte  COMMITTED  GNU libiconv 1.13.1
  pware53.ncurses.rte  COMMITTED  ncurses
  pware53.openldap.rte  COMMITTED  OpenLDAP 2.4.21
  pware53.openssl.rte  COMMITTED  OpenSSL 0.9.8m
  pware53.popt.rte  COMMITTED  popt 1.10.4
  pware53.samba.rte  COMMITTED  Samba 3.4.3
  pware53.zlib.rte   COMMITTED  zlib 1.2.4

I got these errors--
[2010/04/28 10:50:44, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id)
Fatal Error: GID range full!! (max: 500000)
[2010/04/28 10:50:44, 3] winbindd/idmap.c:695(idmap_new_mapping)
Could not allocate id: NT_STATUS_UNSUCCESSFUL
log.winbindd:  lookupname_recv: lookup_name() failed!
log.winbindd:  Could not lookup name for user MYGRP\USER1
log.winbindd:[2010/04/29 10:28:30,  3]
log.winbindd:  [160060]: lookupname MYGRP\USER1


Once I copied the winbind_idmap.tdb from other server like you
suggested, and keep the same idmap uid/gid range as on the server, I
could able to list SID for users. In my case wbinfo -t/-m/-p/-g works
but wbinfo -u doesn't work!. I'am not sure what is the reason, but the
same works Okay on the other server.

wbinfo -u  - returns - Error looking up domain users.
net ads users - too lists all the users but wbinfo -u doesn't.

GID range full!! - Error persists no matter, I remove all the *.tdb or
even if I change the larger GID range as well.

I used the following to create machine account.

net ads join -S DOMSERVER -Uuser_adm createcomputer="/Servers/Non
Windows Servers"

I have repated this command replacing DOMSERVER with other DC names
into the TDK.DK realm which I think has helped to keep machine account
trust OK.

My smb.conf is

workgroup = MYGRP
server string =  Samba Server
security = ADS
log level = 5
netbios name = FOO
log file = /var/log/samba/log.%m
max log size = 500
password server = *
realm = AA.DK
allow trusted domains = no
encrypt passwords = yes
client use spnego = yes
client ntlmv2 auth = yes
local master = no
domain master = no
wins server = namesrv04 namesrv03
dns proxy = no
idmap uid = 100000-999999
idmap gid = 1000000-1999999
restrict anonymous = yes
name resolve order = wins bcast
winbind enum groups = no
winbind enum users = no
winbind cache time = 300
winbind use default domain = yes

I think I was missing "client ntlmv2 auth = yes". At present I'm able
to authenticate with the AD Users, and shares are give permission
based upon AD groups which is working Ok. My question now are -

1. Since I have copied the winbind_idmap.tdb from other working
servers, will it be updating the existing and adding new SID?

2. what is reason for user lookup errors in winbindd.log, I have
noticed they only appear which one get NT_STATUS_UNSUCCESSFUL

3. User who has logged into MYGRP domain, are able to see the shares
without any prompt since they have already logged into the domain, but
those shares which they don't have access, I'm prompted for
authentication - Then I provide a valid user credentials but it
doesn't give the access to the shares, Is it normal?

Many thanks for your help!


More information about the samba mailing list