[Samba] getent doesn't list my users when using idmap_adex

Nico De Ranter nico at sonycom.com
Wed Jul 28 10:14:32 MDT 2010


I'm trying to integrate an existing linux environment with a Windows AD
environment.  All my users are already in AD with valid rfc2307
attributes defined so I need a way to authenticate my users using
username, uid, gid, shell and homedirectory from AD.  I've been using
Kerberos+LDAPs before but that requires a dummy AD user hardcoded with
username and password in /etc/ldap.conf which is making me icky.

According to the man pages it looks like idmap_adex should do the trick
for me, however I can't get things to work.  (see config files below)

Running 'wbinfo -u' does give me a the list of valid users, however
'getent passwd' waits a second after displaying the local users and then
just gives me back the command-line prompt.  

In /var/log/samba/log.winbindd-idmap I see:

[2010/07/28 18:10:01,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module tdb already registered!
[2010/07/28 18:10:01,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2010/07/28 18:10:01,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!
[2010/07/28 18:10:01,  1] winbindd/idmap.c:580(idmap_alloc_init)
  could not find idmap alloc module adex
[2010/07/28 18:10:01,  1] winbindd/idmap_adex/likewise_cell.c:346(cell_connect_dn)
  LWI: Failled to connect to cell "dc=MY,dc=DOMAIN,dc=COM" (NT_STATUS_NO_LOGON_SERVERS)

Note that the adex module is available on the filesystem:

root at ubuntu:/var/log/samba# locate *adex*

What am I doing wrong?

Thanks in advance,



server: Windows 2008R2
client: Ubuntu 10.04 64-bit running samba 3.4.7 (I can't find any 3.5
packages for Ubuntu unfortunately)

#### /etc/samba/smb.conf

	domain master = no
	local master = no
        prefered master = no
	server signing = mandatory
	wide links = yes
	unix extensions = no
	server string = Samba Server ubuntu
	realm = MY.DOMAIN.COM
	workgroup = MY
	security = ADS
	password server = my ad servers
	encrypt passwords = yes
	guest account = nobody
	log file = /var/log/samba/samba.log
	username map = /etc/samba/user.map
	socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	wins support = yes
	disable netbios = Yes
	dns proxy = yes
	obey pam restrictions = yes
	pam password change = yes
	winbind separator = /
	winbind use default domain = yes 
	winbind enum users = yes
	winbind enum groups = yes
	winbind nested groups = yes
	idmap backend = adex
	idmap uid = 1000-999999
	idmap gid = 999-999999
	winbind normalize names = yes
	winbind nss info = adex
 	allow trusted domains = Yes
	default service = homes
	preload = global homes
	valid users = @"MY/Domain Users"
	admin users = "MY/administrator"

#### /etc/nsswitch.conf
passwd:		compat winbind
group:		compat winbind
shadow:		compat winbind

#### /etc/pam.d/common-account
account	[success=3 new_authtok_reqd=done default=ignore]	pam_unix.so 
account	[success=2 new_authtok_reqd=done default=ignore]	pam_winbind.so 
account	[success=1 default=ignore]	pam_ldap.so 
account	requisite			pam_deny.so
account	required			pam_permit.so
account	required			pam_krb5.so minimum_uid=1000

#### /etc/pam.d/common-auth

auth	[success=4 default=ignore]	pam_krb5.so minimum_uid=1000
auth	[success=3 default=ignore]	pam_unix.so nullok_secure try_first_pass
auth	[success=2 default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth	[success=1 default=ignore]	pam_ldap.so use_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so
auth	optional			pam_cap.so 

With kind regards

Nico De Ranter
Senior System Administrator
Techsoft Centre

Technology and Software Centre Europe
The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium

Phone:    +32 (0)2 700 8641
Fax:          +32 (0)2 700 8622
E-mail:    nico.deranter at eu.sony.com

A division of Sony Europe (Belgium) N.V.
VAT BE 0413.825.160 - RPR Brussels
Fortis - BIC GEBABEBB - IBAN BE41293037680010

The information contained in this message or any of its attachments may be confidential and is intended for the exclusive use of the addressee(s).  Any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited without the express permission of the sender.  The views expressed in this email are those of the individual and not necessarily those of Sony or Sony affiliated companies.  Sony email is for business use only.

This email and any response may be monitored by Sony to be in compliance with Sony's global policies and standards

More information about the samba mailing list