[Samba] idmap troubles with any version 3.30 or later

Jim Stalewski JStalewski at VisaLighting.com
Thu Jan 20 13:04:11 MST 2011

Hello list.

The issue I have is that with the changes made to the idmap
functionality of winbind, as regards the enumeration of rfc2307 users
and groups using getent passwd and getent group, only those AD users
that are not in the domains included in the "idmap config (domain)"
statements (the ones in trusted domains that get their ID mappings
auto-assigned by the TDB backend with id's in the idmap uid / gid
ranges) get enumerated.  The ones that have the RFC2307 attributes
defined within the idmap group (domain) range statements will return
their uid/gid/homedir/shell info only if you specify "getent passwd
(username)" but they do not enumerate with a "getent passwd."  Same with
getent group (groupname) vs getent group.

I have had to create the symlinks in /usr/lib and /usr/lib64 for the
/lib/nss_winbind.so.2, /lib/nss_wins.so.2, /lib64/nss_winbind.so.2 and
/lib64/nss_wins.so.2 libs manually because the installer did not create
them for me, and until I did so, getent passwd and getent group only
displayed the local /etc/passwd and /etc/group entries.

Question - are there any other symlinks that should be created for any
other aspect of the nss idmap functionality that may not have been
created by the install process, that would be breaking the user / group
enumeration functionality of nss_winbind.so, and if so, what libs need
to be symlinked to which folders using what names?

I have tried version 3.3x, 3.4.3 and 3.5.4 all with the same lack of
results from getent passwd and getent group but it functioned properly
under 3.2.7, so it can't be

Thanks in advance,


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete it. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. 
No employee or agent is authorized to conclude any binding agreement on behalf of Visa Lighting with another party by email without express written confirmation by an authorized representative of the Company.
Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 

More information about the samba mailing list