[Samba] How can I confirm that idmap_ad is being used?

Kai Lanz lanz at stanford.edu
Fri May 20 17:56:35 MDT 2011


On May 18, 2011, at 12:00 AM, Zabel, Daniel wrote:

>> I've looked at that file; it's empty. (Not a single entry.) I run  
>> my tests with "winbindd -n -d 10 -D".
> Try to add to your smb.conf:
> log level = 3 idmap:10 winbind:10
> to force idmap Logging also to Debuglevel 10.

I've discovered that Samba is writing to log files under /usr/local/ 
samba/var, as well as to files under /var/log/samba. (Why is it doing  
In smb.conf it is told to put log files in /var/log/samba.) Anyway,  
now I can see that idmap_ad is being called and is making log entries at
debug level 10.

This enabled me to see that my "idmap config SU : range" settings were  
wrong -- I was filtering out values I wanted to see. Once I set the
ranges correctly, "wbinfo -S" started to work. (I can now map a user  
SID to the correct Unix numerical UID.) The other wbinfo mappings
still fail: U, G, and Y.

> Did "net ads testjoin" and "net ads info" work?

Yes, both these commands work.

> Nsswicth.conf is important!
> Should look like this:
> passwd:    files winbind
> group:     files  winbind

I've configured my nsswitch.conf like this, but it made no difference.

> These winbind relevant seetings I have also in my config
>        winbind nss info = rfc2307 template
>        winbind normalize names = yes
>       winbind use default domain = yes
>        winbind offline logon = yes
>        winbind cache time = 180
>        winbind enum users = yes
>        winbind enum groups = yes
>        winbind nested groups = yes
>        winbind trusted domains only = no

Thanks; I altered my config to match these settings, but again, it  
didn't affect my wbinfo tests.

Kai Lanz

> On May 17, 2011, at 5:50 AM, Zabel, Daniel wrote:
>> Have a look at:
>> log.winbindd-idmap
> I've looked at that file; it's empty. (Not a single entry.) I run my  
> tests with "winbindd -n -d 10 -D".
>> Also have a look at:
>> https://bugzilla.samba.org/show_bug.cgi?id=6322
> Now, this is interesting! The problem Edgar Holleis describes sounds  
> exactly like the one I am facing. See my post to the Samba mailing  
> list, "Winbindd can't convert between SIDs and uid/gid". Edgar said:
>> Winbind correctly resolves:
>> User-Name->SID (wbinfo -n), Group-Name->SID (wbinfo -s)
>> What doesn't work:
>> SID->UID (wbinfo -S), UID->SID (wbinfo -U), GID (wbinfo -Y), GID->UID
>> SID->(wbinfo -G)
> (Except, "wbinfo -s" is SID->User-name, the reverse of "wbinfo -n",  
> not Group-Name->SID as Edgar wrote...) That's the same pattern of  
> success and failure I get in my wbinfo tests.
> So, how does one go from Edgar's bug report, with 4 failing wbinfo  
> queries, to your comment, "wbinfo resolves everything correctly"?  
> I'm running samba-3.5.8 on OpenSolaris.
> Following Michael Adam's example, I tried the following in my  
> smb.conf:
>    idmap backend = tdb
>    idmap uid = 50000 - 99999
>    idmap gid = 50000 - 99999
>    idmap config SU : backend = ad
>    idmap config SU : schema_mode = rfc2307
>    idmap config SU : range = 10000 - 29999
>    idmap config WIN : backend = ad
>    idmap config WIN : schema_mode = rfc2307
>    idmap config WIN : range = 30000 - 49999
> Note the disjoint ranges for each domain. I still get the same  
> failures with wbinfo S, U, G, and Y. It seems I'm still missing  
> something, since our wbinfo doesn't "resolve everything correctly".  
> Is nsswitch.conf important, perhaps? It doesn't seem to make any  
> difference whether I add "winbind" to the passwd and group lines or  
> not. Is that expected?
> --
> Kai Lanz

More information about the samba mailing list