[Samba] Samba 3.5.5. id-map issues with Active Directory

Andrew Lyon andrew.lyon at gmail.com
Tue Oct 12 01:26:48 MDT 2010 

On Mon, Oct 4, 2010 at 4:53 PM, Haven <haven at thehavennet.org.uk> wrote:
>  Its taken a lot of fairly random experimentation but I've finally got
> configs that work under samba 3.5.5 on both Gentoo and Debian with 2008
> server. The sections in my old config that seemed to be causing the problems
> and their replacements are shown below:

I've run into the same problem trying to get 3.5.5 and 3.5.6 idmap
working in rfc2307 mode, wbinfo -u and -g return users and groups, but
wbinfo -i <user> fails, other test I tried is:

net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory
sAMAccountName uidNumber gidNumber -P

Which shows that I have 3 users and 2 groups which have rfc2307
attributes, however mapping is not working, files owned by the mapped
uid/gid do not show the username or group when listed, and users are
unable to authenticate to the samba server.

I've noticed some errors in winbindd log:

[2010/10/12 08:24:53.276576,  3]
winbindd/winbindd_misc.c:352(winbindd_interface_version)
  [ 8296]: request interface version
[2010/10/12 08:24:53.276748,  3]
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
  [ 8296]: request location of privileged pipe
[2010/10/12 08:24:53.276975,  3]
winbindd/winbindd_list_users.c:58(winbindd_list_users_send)
  list_users
[2010/10/12 08:24:56.764312,  3]
winbindd/winbindd_misc.c:352(winbindd_interface_version)
  [ 8381]: request interface version
[2010/10/12 08:24:56.764473,  3]
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
  [ 8381]: request location of privileged pipe
[2010/10/12 08:24:56.794828,  3]
winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
  getpwnam test
[2010/10/12 08:24:56.927925,  3]
libads/ldap_schema.c:324(ads_check_posix_schema_mapping)
  ads_check_posix_schema_mapping: failed STATUS_SOME_UNMAPPED
[2010/10/12 08:24:56.927999,  2]
winbindd/idmap_ad.c:185(ad_idmap_cached_connection)
  ad_idmap_cached_connection: Failed to obtain schema details!


>
> Old broken:
>
>        idmap backend = ad
>        winbind nss info = rfc2307
>
> New working:
>
>        idmap uid = 10000-20000
>        idmap gid = 10000-20000
>

Doesn't that change work around the problem by disabling idmap
altogether? it may work but the mappings will not be consistent if you
have multiple samba servers.

Andy

> No changes were needed to my kerberos setup.
>
> I've included a copy of my current smb.conf that is working for me after
> upgrading from 3.4.8 to 3.5.5:
>
>> [global]
>>
>> workgroup = DOMAIN
>> security = ADS
>> kerberos method = system keytab
>> winbind use default domain = true
>> realm = DOMAIN.NET
>>
>> disable netbios = yes
>> name resolve order = host lmhosts
>> hosts allow = 127.0.0.1 192.168.1.0/24 93.97.246.119
>> hosts deny = 0.0.0.0/0
>>
>> password server = 192.168.1.2, 192.168.1.3, *
>>
>> idmap config DOMAIN : default = yes
>> idmap config DOMAIN : schema_mode = rfc2307
>> idmap config DOMAIN : backend = ad
>> idmap config DOMAIN : range = 10000-20000
>>
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>>
>> winbind offline logon = yes
>> winbind nested groups = yes
>> winbind separator = +
>>
>> template homedir = /home/%U
>> template shell = /bin/bash
>> client ntlmv2 auth = yes
>> encrypt passwords = yes
>>
>> local master = no
>> domain master = no
>> preferred master = no
>> dns proxy = no
>>
>> server string = Samba Server Version %v
>>
>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192
>> SO_SNDBUF=8192
>>
>> # Fix character set issues:
>> # http://www.unixresources.net/linux/lf/59/archive/00/00/13/18/131896.html
>> dos charset = 850
>> unix charset = UTF-8
>
> There is still a slight discrepancy with debian returning more groups for
> users when you type "id <user>" than gentoo, but it appears to be a gentoo
> error i.e. "10005(denied rodc password replication group)". Something to
> look at another day as auth works for now which is the main thing.
>
> Regards
>
> Simon
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list