[Samba] SOLVED Re: samba 3.5.4 winbind rfc2307

Jay Coleman jay.coleman at cctechnol.com
Mon Apr 18 08:39:37 MDT 2011 

Found the answer, wanted to post it for other folks to find.  Note 
https://bugzilla.samba.org/show_bug.cgi?id=6322 that this is a known 
little detail.

Basically, if the tdb range ands the ad range are non-exclusive, it 
doesn't query the AD.  Solution is to separate the ranges:

     idmap backend = tdb
     idmap uid = 100000-165000
     idmap gid = 100000-165000
     idmap config FOO:backend = ad
     idmap config FOO:default = yes
     idmap config FOO:schema mode = rfc2307
     idmap config FOO:range = 1000-66000


Jay

On 04/15/2011 05:03 PM, Jay Coleman wrote:
>
> Hi,
>
> We recently updated our domain to 2008R2 servers from 2000.
>
> I know the services for unix changed from the proprietary setup in 
> 2000 to rfc2307 compliant around 2003 R2
>
> I've updated samba to 3.5.4 (apparently most earlier versions don't 
> play well with the changes in AD), and gotten things essentially 
> working.  The problem is users created since the old 2000 servers have 
> been retired.
>
> Users with the old msSFU info in the schema work fine, users without 
> that info fail.
>
> smb.conf:
> [global]
>
>         workgroup = BLAH
>         realm = BLAH.NOWHERE.COM
>         password server = styx.blah.nowhere.com, aurora.blah.nowhere.com
>         security = ADS
>         netbios name = HECTOR
>         local master = No
>         domain master = No
>     idmap backend = tdb
>     idmap domains = BLAH
>     idmap config BLAH:backend = ad
>     idmap config BLAH:schema mode = rfc2307
>     idmap config BLAH:range = 1000-100000
>         inherit acls = Yes
>         map acl inherit = Yes
>         idmap uid = 1000 - 100000
>         idmap gid = 1000 - 100000
>         winbind separator = +
>         winbind nss info = rfc2307 template
>         winbind nested groups = Yes
>         winbind use default domain = Yes
>     winbind refresh tickets = Yes
>         winbind enum users = No
>         winbind enum groups = No
>         winbind offline logon = true
>         template shell = /bin/bash
>     template homedir = /home/%U
>
> I've tried both sfu and rfc2307, no difference.  I've tried enum users 
> and groups both on and off, no difference.
>
> For an example, if I do a wbinfo -i on one of the older accounts (with 
> both msSFU and rfc2307 info in the schema, confirmed by ldapsearch), I 
> get correct response, no problem.  When I do a wginfo -i on a new 
> account, I get
> [2011/04/15 18:52:44.737596,  1] 
> winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids)
>   Could not get unix ID
> in the winbindd-idmap log
>
> Oddly, on that same user I can't get wbinfo -i, if I do
> wbinfo -n name
> (SID)
> wbinfo -S (SID)
> it gives me the UID
>
> Ideas?
>
> Thanks
>

-- 
Jeremiah Coleman
Systems Administrator
C&  C Technologies
337-735-3741
Extension 3421
jay.coleman at cctechnol.com

More information about the samba mailing list