[Samba] Can't get idmap connected to AD unix attribs

Nick Triantos nick at triantos.com
Fri Jul 13 00:10:05 MDT 2012


It turns out that setting idmap config * : ad was the cause of my failures. For some reason, that backend is not compiled into the Ubuntu packages (or at least, when I ran with debug = 3 for winbind, I saw that the backend 'ad' was failing to load.

It does seem, from my very non-scientific study of the list over the past few days, that a large number of questions seem to be focused on connecting samba with AD. Hopefully this can be made more rock-solid in the future.

regards,
-Nick

On Jul 11, 2012, at 10:50 AM, Rowland Penny wrote:

> On 11/07/12 17:38, Nick Triantos wrote:
>> Hi Rowland,
>> 
>> Yes, I've added their unix attributes.
>> 
>> It looks like there is a long-open bug in winbind/samba 3.6.x that may be causing the error below (https://bugzilla.samba.org/show_bug.cgi?id=8676). I'm now stuck behind that so I'm trying to downgrade to 3.5.x.
>> 
>> regards,
>> -Nick
>> 
>> On Jul 11, 2012, at 7:05 AM, Rowland Penny wrote:
>> 
>>> On 11/07/12 01:57, Nick Triantos wrote:
>>>> Thanks Robert.
>>>> 
>>>> I've tried switching over to the AD back-end (which does sound like what I want), but I still receive only the errors:
>>>>    failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>> 
>>>> I restarted both winbind and smbd after changing the config. Is there some cache I have to flush, or some other config that needs to be changed beyond the settings in smb.conf?
>>>> 
>>>> thanks again!
>>>> -Nick
>>>> 
>>>> My updated smb.conf:
>>>> 
>>>>    workgroup = CORP
>>>>    security = ADS
>>>>    #password server = 192.168.77.251
>>>>    realm = CORP.MYCOMPANY.COM
>>>>    allow trusted domains = yes
>>>>    winbind use default domain = yes
>>>>    winbind nested groups = YES
>>>>    idmap config CORP : backend = ad
>>>>    idmap config CORP : default = yes
>>>>    idmap config CORP : schema_mode = rfc2307
>>>>    idmap config CORP : range = 800 - 99999
>>>> 
>>>> 
>>>> On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote:
>>>> 
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>> 
>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>> 
>>>>> Nick,
>>>>> 
>>>>> I think what you may be looking for is the ad backend:
>>>>> 
>>>>> https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
>>>>> 
>>>>> Since you are using tdb in your config, it is using a local database
>>>>> and allocates UID/GIDs on the fly...first come, first served.  So a
>>>>> user may not get the same UID from one machine to the next.
>>>>> 
>>>>> Robert
>>>>> 
>>>>> On 07/10/2012 12:20 AM, Nick Triantos wrote:
>>>>>> Hi,
>>>>>> 
>>>>>> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and
>>>>>> Winbind to map userids and groups to the unix attributes in an AD
>>>>>> 2008 server. I can see that when I perform an ldapsearch, I'm able
>>>>>> to read the attributes, and for one of my accounts, the id should
>>>>>> be 1001. However, when I run 'wbinfo -i<username>', I get back
>>>>>> something like 920.
>>>>>> 
>>>>>> At one point, I was setting the idmap range to start at 900, but
>>>>>> I've since removed that from my config, and restarted winbindd and
>>>>>> smbd. I've also tried to 'net cache flush'.
>>>>>> 
>>>>>> I also see wbinfo -i<someuser>   usually returns: failed to call
>>>>>> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user
>>>>>> <someuser>
>>>>>> 
>>>>>> The relevant parts of my smb.conf are below. I've tried patching
>>>>>> this together from various tuts and help pages. Any guidance would
>>>>>> be very helpful.
>>>>>> 
>>>>>> thanks! -Nick
>>>>>> 
>>>>>> [global] workgroup = CORP security = ADS password server =
>>>>>> 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains =
>>>>>> yes winbind use default domain = yes winbind nested groups = YES
>>>>>> idmap config CORP : backend = tdb idmap config CORP : default = yes
>>>>>> idmap config CORP : schema_mode = rfc2307 idmap config CORP : range
>>>>>> = 1000 - 9999 idmap config * : backend = tdb encrypt passwords =
>>>>>> true obey pam restrictions = yes client use spnego = yes client
>>>>>> ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2
>>>>>> unix password sync = yes winbind enum groups = yes winbind enum
>>>>>> users = yes winbind nss info = rfc2307
>>>>>> 
>>>>>> 
>>>>> - - --
>>>>> ________
>>>>> 
>>>>> Robert Freeman-Day
>>>>> 
>>>>> https://launchpad.net/~presgas
>>>>> GPG Public Key:
>>>>> http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
>>>>> 
>>>>> 
>>>>> - -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>> 
>>>>> iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ
>>>>> AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y
>>>>> =yLz3
>>>>> - -----END PGP SIGNATURE-----
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>> 
>>>>> iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+
>>>>> 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb
>>>>> =eagU
>>>>> -----END PGP SIGNATURE-----
>>> Hi, just a thought, have you added the RFC2307 uid/gid values to your users on the AD server? if you haven't, there will be nothing to find and it may throw the error that you are getting.
>>> 
>>> Rowland
>>> 
>>> 
>>> -- 
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>> 
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 
> 
> I am playing about with this on a Xubuntu 12.04 client against a Samba4 server (Ubuntu 12.04 server) and it seems to be working for me (mostly)
> 
> I have:
>    winbind enum users = Yes
>    winbind enum groups = Yes
>    winbind use default domain = Yes
>    winbind nss info = rfc2307
>    winbind refresh tickets = Yes
>    winbind normalize names = Yes
>    idmap config HOME:schema_mode = rfc2307
>    idmap config HOME:range = 210000-3100000
>    idmap config HOME:backend = ad
>    idmap config * : range = 210000-3100000
>    idmap config * : backend = tdb
> 
> in /etc/samba/smb.conf
> 
> wbinfo -u returns all AD users
> wbinfo -g returns all AD groups
> getent passwd returns all local & AD unixusers
> getent group returns local users but no AD unixusers, but
> getent group linuxusers returns the AD info for the unix group
> 
> Hope this helps.
> 
> Rowland
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 



More information about the samba mailing list