[Samba] Can't get idmap connected to AD unix attribs

Rowland Penny rpenny at f2s.com
Wed Jul 11 11:50:36 MDT 2012 

On 11/07/12 17:38, Nick Triantos wrote:
> Hi Rowland,
>
> Yes, I've added their unix attributes.
>
> It looks like there is a long-open bug in winbind/samba 3.6.x that may be causing the error below (https://bugzilla.samba.org/show_bug.cgi?id=8676). I'm now stuck behind that so I'm trying to downgrade to 3.5.x.
>
> regards,
> -Nick
>
> On Jul 11, 2012, at 7:05 AM, Rowland Penny wrote:
>
>> On 11/07/12 01:57, Nick Triantos wrote:
>>> Thanks Robert.
>>>
>>> I've tried switching over to the AD back-end (which does sound like what I want), but I still receive only the errors:
>>>     failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>
>>> I restarted both winbind and smbd after changing the config. Is there some cache I have to flush, or some other config that needs to be changed beyond the settings in smb.conf?
>>>
>>> thanks again!
>>> -Nick
>>>
>>> My updated smb.conf:
>>>
>>>     workgroup = CORP
>>>     security = ADS
>>>     #password server = 192.168.77.251
>>>     realm = CORP.MYCOMPANY.COM
>>>     allow trusted domains = yes
>>>     winbind use default domain = yes
>>>     winbind nested groups = YES
>>>     idmap config CORP : backend = ad
>>>     idmap config CORP : default = yes
>>>     idmap config CORP : schema_mode = rfc2307
>>>     idmap config CORP : range = 800 - 99999
>>>
>>>
>>> On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Nick,
>>>>
>>>> I think what you may be looking for is the ad backend:
>>>>
>>>> https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
>>>>
>>>> Since you are using tdb in your config, it is using a local database
>>>> and allocates UID/GIDs on the fly...first come, first served.  So a
>>>> user may not get the same UID from one machine to the next.
>>>>
>>>> Robert
>>>>
>>>> On 07/10/2012 12:20 AM, Nick Triantos wrote:
>>>>> Hi,
>>>>>
>>>>> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and
>>>>> Winbind to map userids and groups to the unix attributes in an AD
>>>>> 2008 server. I can see that when I perform an ldapsearch, I'm able
>>>>> to read the attributes, and for one of my accounts, the id should
>>>>> be 1001. However, when I run 'wbinfo -i<username>', I get back
>>>>> something like 920.
>>>>>
>>>>> At one point, I was setting the idmap range to start at 900, but
>>>>> I've since removed that from my config, and restarted winbindd and
>>>>> smbd. I've also tried to 'net cache flush'.
>>>>>
>>>>> I also see wbinfo -i<someuser>   usually returns: failed to call
>>>>> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user
>>>>> <someuser>
>>>>>
>>>>> The relevant parts of my smb.conf are below. I've tried patching
>>>>> this together from various tuts and help pages. Any guidance would
>>>>> be very helpful.
>>>>>
>>>>> thanks! -Nick
>>>>>
>>>>> [global] workgroup = CORP security = ADS password server =
>>>>> 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains =
>>>>> yes winbind use default domain = yes winbind nested groups = YES
>>>>> idmap config CORP : backend = tdb idmap config CORP : default = yes
>>>>> idmap config CORP : schema_mode = rfc2307 idmap config CORP : range
>>>>> = 1000 - 9999 idmap config * : backend = tdb encrypt passwords =
>>>>> true obey pam restrictions = yes client use spnego = yes client
>>>>> ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2
>>>>> unix password sync = yes winbind enum groups = yes winbind enum
>>>>> users = yes winbind nss info = rfc2307
>>>>>
>>>>>
>>>> - - --
>>>> ________
>>>>
>>>> Robert Freeman-Day
>>>>
>>>> https://launchpad.net/~presgas
>>>> GPG Public Key:
>>>> http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
>>>>
>>>>
>>>> - -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>
>>>> iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ
>>>> AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y
>>>> =yLz3
>>>> - -----END PGP SIGNATURE-----
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>
>>>> iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+
>>>> 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb
>>>> =eagU
>>>> -----END PGP SIGNATURE-----
>> Hi, just a thought, have you added the RFC2307 uid/gid values to your users on the AD server? if you haven't, there will be nothing to find and it may throw the error that you are getting.
>>
>> Rowland
>>
>>
>> -- 
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

I am playing about with this on a Xubuntu 12.04 client against a Samba4 
server (Ubuntu 12.04 server) and it seems to be working for me (mostly)

I have:
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     winbind nss info = rfc2307
     winbind refresh tickets = Yes
     winbind normalize names = Yes
     idmap config HOME:schema_mode = rfc2307
     idmap config HOME:range = 210000-3100000
     idmap config HOME:backend = ad
     idmap config * : range = 210000-3100000
     idmap config * : backend = tdb

in /etc/samba/smb.conf

wbinfo -u returns all AD users
wbinfo -g returns all AD groups
getent passwd returns all local & AD unixusers
getent group returns local users but no AD unixusers, but
getent group linuxusers returns the AD info for the unix group

Hope this helps.

Rowland

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list