[Samba] Can't get idmap connected to AD unix attribs

Rowland Penny rpenny at f2s.com
Wed Jul 11 08:05:42 MDT 2012


On 11/07/12 01:57, Nick Triantos wrote:
> Thanks Robert.
>
> I've tried switching over to the AD back-end (which does sound like what I want), but I still receive only the errors:
>     failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>
> I restarted both winbind and smbd after changing the config. Is there some cache I have to flush, or some other config that needs to be changed beyond the settings in smb.conf?
>
> thanks again!
> -Nick
>
> My updated smb.conf:
>
>     workgroup = CORP
>     security = ADS
>     #password server = 192.168.77.251
>     realm = CORP.MYCOMPANY.COM
>     allow trusted domains = yes
>     winbind use default domain = yes
>     winbind nested groups = YES
>     idmap config CORP : backend = ad
>     idmap config CORP : default = yes
>     idmap config CORP : schema_mode = rfc2307
>     idmap config CORP : range = 800 - 99999
>
>
> On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> - -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Nick,
>>
>> I think what you may be looking for is the ad backend:
>>
>> https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
>>
>> Since you are using tdb in your config, it is using a local database
>> and allocates UID/GIDs on the fly...first come, first served.  So a
>> user may not get the same UID from one machine to the next.
>>
>> Robert
>>
>> On 07/10/2012 12:20 AM, Nick Triantos wrote:
>>> Hi,
>>>
>>> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and
>>> Winbind to map userids and groups to the unix attributes in an AD
>>> 2008 server. I can see that when I perform an ldapsearch, I'm able
>>> to read the attributes, and for one of my accounts, the id should
>>> be 1001. However, when I run 'wbinfo -i<username>', I get back
>>> something like 920.
>>>
>>> At one point, I was setting the idmap range to start at 900, but
>>> I've since removed that from my config, and restarted winbindd and
>>> smbd. I've also tried to 'net cache flush'.
>>>
>>> I also see wbinfo -i<someuser>  usually returns: failed to call
>>> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user
>>> <someuser>
>>>
>>> The relevant parts of my smb.conf are below. I've tried patching
>>> this together from various tuts and help pages. Any guidance would
>>> be very helpful.
>>>
>>> thanks! -Nick
>>>
>>> [global] workgroup = CORP security = ADS password server =
>>> 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains =
>>> yes winbind use default domain = yes winbind nested groups = YES
>>> idmap config CORP : backend = tdb idmap config CORP : default = yes
>>> idmap config CORP : schema_mode = rfc2307 idmap config CORP : range
>>> = 1000 - 9999 idmap config * : backend = tdb encrypt passwords =
>>> true obey pam restrictions = yes client use spnego = yes client
>>> ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2
>>> unix password sync = yes winbind enum groups = yes winbind enum
>>> users = yes winbind nss info = rfc2307
>>>
>>>
>>
>> - - --
>> ________
>>
>> Robert Freeman-Day
>>
>> https://launchpad.net/~presgas
>> GPG Public Key:
>> http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
>>
>>
>> - -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ
>> AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y
>> =yLz3
>> - -----END PGP SIGNATURE-----
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+
>> 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb
>> =eagU
>> -----END PGP SIGNATURE-----
Hi, just a thought, have you added the RFC2307 uid/gid values to your 
users on the AD server? if you haven't, there will be nothing to find 
and it may throw the error that you are getting.

Rowland


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the samba mailing list