[Samba] Samba 3.5.5. id-map issues with Active Directory

Haven haven at thehavennet.org.uk
Thu Sep 30 07:42:47 MDT 2010 

  To fix this issue on Debian I have rolled back to 3.4.8 using the 
following cached deb files:
> libwbclient0_2%3a3.4.8~dfsg-2_amd64.deb  
> samba-common_2%3a3.4.8~dfsg-2_all.deb        
> smbclient_2%3a3.4.8~dfsg-2_amd64.deb
> samba_2%3a3.4.8~dfsg-2_amd64.deb         
> samba-common-bin_2%3a3.4.8~dfsg-2_amd64.deb  
> winbind_2%3a3.4.8~dfsg-2_amd64.deb

This has fixed the issue but I'm no closer to discovering what 
exactly is broken which is very unsatisfying.

To be sure that its not just a Debian issue I recompiled from source 
on Debian and also tested on Gentoo (using 3.5.5) with the same results.

Is anyone aware of any changes in 3.5.5 that would cause this using 
my config from the original post ?

Regards

Simon

On 09/28/10 12:18, Haven wrote:
>  Hi,
>
> I'm running Debian Squeeze on a few machines that are all 
> authenticating to a pair of Windows 2008 servers. After upgrading 
> to samba 3.5.5 from 3.4.8 idmap has stopped resolving which is 
> preventing user authentication on these boxes. The boxes that have 
> been left at 3.4.8 continue to work fine.
>
> On the 3.5.5 boxes wbinfo and net ads show lists of users and 
> groups without issue yet id is not able to map uid's any more.
>
> nsswitch.conf is using:
>> passwd:     files winbind
>> group:      files winbind
>> shadow:     files winbind
>
> I can successfully connect the affected servers to the AD domain 
> using net ads join and the keytab also generates fine.
>
> I have included my smb.conf below and will happily provide any 
> details that will help.
>
> Many thanks for your time.
>
> Regards
>
> Simon
>
>> [global]
>>
>> # Debuging domain auth issues:
>> debug level = 10
>>
>> workgroup = DOMAIN
>> security = ads
>> kerberos method = system keytab
>> winbind use default domain = true
>> realm = DOMAIN.NET
>>
>> disable netbios = yes
>> name resolve order = host lmhosts
>> hosts allow = 127.0.0.1 192.168.1.0/24 93.97.246.119
>> hosts deny = 0.0.0.0/0
>>
>> password server = 192.168.1.2, 192.168.1.3, *
>>
>> idmap config DOMAIN:default = yes
>> idmap config DOMAIN:schema_mode = rfc2307
>> idmap config DOMAIN:backend = ad
>> idmap config DOMAIN:range = 10000-20000
>>
>> idmap backend = ad
>> winbind offline logon = yes
>> winbind nested groups = yes
>> winbind separator = +
>> winbind cache time = 3600
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind nested groups = Yes
>> winbind nss info = rfc2307
>>
>> template homedir = /home/%U
>> template shell = /bin/bash
>> client ntlmv2 auth = yes
>> encrypt passwords = true
>>
>> local master = no
>> domain master = no
>> preferred master = no
>> dns proxy = no
>>
>> server string = Samba Server Version %v
>>
>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE 
>> SO_RCVBUF=8192 SO_SNDBUF=8192
>>
>> # Fix character set issues:
>> # 
>> http://www.unixresources.net/linux/lf/59/archive/00/00/13/18/131896.html 
>>
>> dos charset = 850
>> unix charset = UTF-8
>

More information about the samba mailing list