[Samba] Issues With User Info and Authentication

Wojtak, Greg GregWojtak at quickenloans.com
Thu Sep 1 07:11:31 MDT 2011


I'm new to the list and hope this is the appropriate place to post this
type of question.  We've got our environment set up where all of our Unix
and Linux hosts get user information and perform authentication against an
LDAP directory.  I am working on a project to migrate these hosts to
instead authenticate against our Active Directory environment (Win 2k8
R2).  So far, I've been able to get direct LDAP authentication working
against AD, but I'd like to use winbind instead.  I've been working with
our CentOS Linux hosts first.  Since the POSIX attributes are already
populated on the AD objects (the ones that need them, anyways), I'd like
to configure winbind to pull that information from AD where available.
CentOS 5 (samba 3.0.33) seems to work as advertised; I'm able to join the
domain and get user information just fine.  CentOS 6, however, is giving
me fits.  The samba packages installed are version 3.5.4.

Here is the data I've observed:
 - Joining to domain works properly
 - wbinfo -u brings back a full list of all domain users
 - wbinfo -g brings back a full list of all domain groups
 - wbinfo -n testerx returns the appropriate SID
 - wbinfo -U <numeric uid> returns the same SID
 - wbinfo -S <SID> returns the appropriate numeric uid
 - wbinfo -i  testerx returns 'Could not get info for user testerx'
 - getent passwd returns only local accounts
- getent group returns only local groups
- I've verified that winbind is in the nsswitch.conf

I've got the following in my [global] section in my smb.conf:

workgroup = MYDOMAIN
password server = mydc.mydomain.com
security = ads
   idmap backend = ad
   idmap uid = 1000-2147483647
   idmap gid = 1000-2147483647
   idmap domains = MYDOMAIN
   idmap config MYDOMAIN:backend = ad
   idmap config MYDOMAIN:range = 1000-2147483647
   idmap config MYDOMAIN:schema_mode = rfc2307
   idmap config MYDOMAIN:readonly = yes
   winbind nss info = rfc2307
   template shell = /bin/bash
winbind use default domain = yes
   winbind offline logon = true
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = no
   encrypt passwords = yes
   log level = 7 passdb:2 auth:10 winbind:10 tdb:10 idmap:10
   winbind trusted domains only = no
   client use spnego = yes
   allow trusted domains = no

I've tried (rather randomly) changing some of the values of the latter
entries as well as the value of the idmap backend parameter to use tdb
while specifying the config for MYDOMAIN to use ad backend.  I'm rather
stumped at this point.  I've Googled around and it seems I'm not the only
one having issues, but nobody seems to have posted a solution.

Does anyone have any ideas?  Am I hitting a bug in the Cent 6 package that
has nothing to do with my config?  Is there something potentially screwy
with AD (I've mostly ruled this possibility out due to the fact that the
Cent 5 hosts are working fine)?

Any help is appreciated!



More information about the samba mailing list