[Samba] How can I confirm that idmap_ad is being used?
lanz at stanford.edu
Fri May 20 17:56:35 MDT 2011
On May 18, 2011, at 12:00 AM, Zabel, Daniel wrote:
>> I've looked at that file; it's empty. (Not a single entry.) I run
>> my tests with "winbindd -n -d 10 -D".
> Try to add to your smb.conf:
> log level = 3 idmap:10 winbind:10
> to force idmap Logging also to Debuglevel 10.
I've discovered that Samba is writing to log files under /usr/local/
samba/var, as well as to files under /var/log/samba. (Why is it doing
In smb.conf it is told to put log files in /var/log/samba.) Anyway,
now I can see that idmap_ad is being called and is making log entries at
debug level 10.
This enabled me to see that my "idmap config SU : range" settings were
wrong -- I was filtering out values I wanted to see. Once I set the
ranges correctly, "wbinfo -S" started to work. (I can now map a user
SID to the correct Unix numerical UID.) The other wbinfo mappings
still fail: U, G, and Y.
> Did "net ads testjoin" and "net ads info" work?
Yes, both these commands work.
> Nsswicth.conf is important!
> Should look like this:
> passwd: files winbind
> group: files winbind
I've configured my nsswitch.conf like this, but it made no difference.
> These winbind relevant seetings I have also in my config
> winbind nss info = rfc2307 template
> winbind normalize names = yes
> winbind use default domain = yes
> winbind offline logon = yes
> winbind cache time = 180
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
> winbind trusted domains only = no
Thanks; I altered my config to match these settings, but again, it
didn't affect my wbinfo tests.
> On May 17, 2011, at 5:50 AM, Zabel, Daniel wrote:
>> Have a look at:
> I've looked at that file; it's empty. (Not a single entry.) I run my
> tests with "winbindd -n -d 10 -D".
>> Also have a look at:
> Now, this is interesting! The problem Edgar Holleis describes sounds
> exactly like the one I am facing. See my post to the Samba mailing
> list, "Winbindd can't convert between SIDs and uid/gid". Edgar said:
>> Winbind correctly resolves:
>> User-Name->SID (wbinfo -n), Group-Name->SID (wbinfo -s)
>> What doesn't work:
>> SID->UID (wbinfo -S), UID->SID (wbinfo -U), GID (wbinfo -Y), GID->UID
>> SID->(wbinfo -G)
> (Except, "wbinfo -s" is SID->User-name, the reverse of "wbinfo -n",
> not Group-Name->SID as Edgar wrote...) That's the same pattern of
> success and failure I get in my wbinfo tests.
> So, how does one go from Edgar's bug report, with 4 failing wbinfo
> queries, to your comment, "wbinfo resolves everything correctly"?
> I'm running samba-3.5.8 on OpenSolaris.
> Following Michael Adam's example, I tried the following in my
> idmap backend = tdb
> idmap uid = 50000 - 99999
> idmap gid = 50000 - 99999
> idmap config SU : backend = ad
> idmap config SU : schema_mode = rfc2307
> idmap config SU : range = 10000 - 29999
> idmap config WIN : backend = ad
> idmap config WIN : schema_mode = rfc2307
> idmap config WIN : range = 30000 - 49999
> Note the disjoint ranges for each domain. I still get the same
> failures with wbinfo S, U, G, and Y. It seems I'm still missing
> something, since our wbinfo doesn't "resolve everything correctly".
> Is nsswitch.conf important, perhaps? It doesn't seem to make any
> difference whether I add "winbind" to the passwd and group lines or
> not. Is that expected?
> Kai Lanz
More information about the samba