[Samba] Failing to get uids from AD

Nick Triantos nick at triantos.com
Tue Jul 17 01:39:37 MDT 2012 

Just a quick confirmation: 

If I set the idmap config CORP : range parameter, I always get no result for getent passwd <some-valid-user>, and the winbind log shows "Could not get unix ID", whether the range overlaps with my "*" range or not.

I do have one suspicion what could be failing, from inspecting the code.. Is it possible for me to map uids in AD but not gids? Currently, I've configured my users, but not all of my security groups.

thanks,
-Nick

p.s. - This is happening with 3.6.3 on Ubuntu. I've been trying unsuccessfully to build v3-6-stable from source so I can debug this. Samba fails to build in ../libcli/auth/ntlmssp_server.c (error: ‘ndr_push_ntlmssp_VERSION’ undeclared). Any tips on how to work past this?


On Jul 16, 2012, at 6:35 PM, Nick Triantos wrote:

> Thanks Heather.
> 
> It was my understanding, from reading one of the doc pages, that the range acted as a filter, and would invalidate any users who didn't match the range, so I purposely made it cover a broader range (from 900 onward). In AD, my first user maps at 1001. On the local machine, all users are daemons, etc. which map to below 899.
> 
> In the case where I specified a range for the CORP section, it seemed to be overridden by the "*" range, or it was ignored and the system fell back to using the * range.
> 
> All of my Samba users are in AD, so there shouldn't actually be a need for the BUILTIN realm, but I'm happy to leave it if that makes samba happy.
> 
> Re use of 'idmap = ad' being moot, you might be right. Someone else responded to a previous thread of mine on this list and suggested using it so that Samba wouldn't attempt to create and store IDs in a tdb, though obviously, that isn't quite working.
> 
> When I instead specify non-overlapping ranges, as below, the command 'getent passwd <some-legit-user>' returns no data.
>   security = ADS
>   realm = CORP.mycompany.COM
>   allow trusted domains = yes
>   winbind use default domain = yes
>   winbind nested groups = YES
>   winbind enum groups = yes
>   winbind enum users = yes
>   winbind nss info = rfc2307
>   winbind refresh tickets = yes
>   idmap config CORP : backend = ad
>   idmap config CORP : schema_mode = rfc2307
>   idmap config CORP : range = 900 - 19999
>   #idmap config * : backend = tdb
>   idmap config * : default = yes
>   idmap config * : range = 100000 - 199999
> 
> The only error I saw in my winbind log, with the above config, which looked to be of value was shown a debuglevel=3:
>   Could not get unix ID
> 
> I will dig in to some google searches to see what I can find. I may also be getting the sfu vs rfc2307 incorrect, but whenever I've changed that to sfu, I get no results. The docs are very terse about which is which (I'm using AD from Windows Server 2008 R2, with the Services for Unix feature installed).
> 
> Any other suggestions?
> 
> BTW, I do very much appreciate all the help.
> 
> thanks,
> -Nick
> 
> On Jul 16, 2012, at 4:42 PM, Heather Choi wrote:
> 
>> I noticed you tried to comment out the default idmap section. The range also starts very low, (too low). I think you might be running into uid/gid collisions because of that.
>> Something like this is more preferrable (in addition to setting your ranges):
>> 
>>       idmap config * : backend = tdb
>>   idmap config * : range = 1000000-1999999
>> 
>>   idmap config CORP : backend  = ad
>>   idmap config CORP : range = 900-999999
>>   idmap config CORP : schema_mode = rfc2307
>> 
>> You want to make sure you retain the local allocation for stuff like BUILTIN.  Also you may want to start at 1000 for your range for CORP, to make it more logical (i.e. so they are always at least 4 digits long).  You also have to make sure you set the groups properly.
>> 
>> Isn't the use of idmap = ad somewhat moot now that they revised (and mostly 'fixed') id mapping in Samba 3.6?
>> 
>> On 07/16/2012 03:57 AM, Jonathan Buzzard wrote:
>>> On 14/07/12 17:50, Nick Triantos wrote:
>>>> Hi,
>>>> 
>>>> I'm still having trouble getting Samba 3.6.3 / Winbind to fetch UIDs from AD 2008 R2 with the Services for Unix feature installed. My users have uidNumber fields which contain the UIDs I want. I'm on Ubuntu 12.04
>>>> 
>>>> The global part of my smb.conf. I've tried changing 'winbind nss info' and 'schema_mode' to sfu as well.
>>>> 
>>>>   security = ADS
>>>>   realm = CORP.mycompany.COM
>>>>   allow trusted domains = yes
>>>>   winbind use default domain = yes
>>>>   winbind nested groups = YES
>>>>   winbind enum groups = yes
>>>>   winbind enum users = yes
>>>>   winbind nss info = rfc2307
>>>>   winbind refresh tickets = yes
>>>>   idmap config CORP : backend = ad
>>>>   idmap config CORP : schema_mode = rfc2307
>>>>   #idmap config * : backend = tdb
>>>>   idmap config * : default = yes
>>>>   idmap config * : range = 900 - 99999
>>>> 
>>> 
>>> There is no range here for the ad backend. From what I have determined empirically is that you need to specify ranges for both that don't overlap. That said this is now covered in the manual page, but it is vitally important and it won't work properly without it. What I do is specify a small range really high up well out of the way of anything being allocated in the AD for the tdb backend.
>>> 
>>> JAB.
>>> 
>> 
>> 
>

More information about the samba mailing list