[Samba] "idmap backend = ad" saga continues

Randy Rue randyrue at gmail.com
Wed Jun 20 17:09:01 MDT 2012

Hello All,

Been a week or three since I could return to this puzzle but I've found some
time and thought I'd refresh on my progress so far.

I'm trying to set up a CentOS_6.2 box running samba 3.5.10-116 to
authenticate against a Windows 2008R2 AD for SSH logins. We've previously
done this using winbind and local account on each machine matching AD
accounts but I'd like to do this with dependence on local settings. First we
did this using a local tdb based map but users had random UID/GID's on every
box. Then we tried using the RID backend with some improvement, then users
had "random" UID/GID's that at least were the same on every box. But their
default group was always "Domain Users" and we'd really prefer that their
UID match their emplid.

So idmap backend = ad enters the picture. I've found a slew of posts
mentioning it but not many that claim to have made it work. Posted some
questions here and got some good guidance but still haven't figured this out
but I have narrowed down the trouble a bit.

Take a look at the below smb.conf. Note the commented lines for the ad
backend. This works. I can log in with AD credentials, and from the server I
can run wbinfo -u, wbinfo -g, I can even run getent passwd for any AD user
and it returns their information. But they all get UID/GID's starting at

   workgroup = DOMAIN
   password server = *
   realm = DOMAIN.ORG
   security = ads
   template shell = /bin/bash
   log file = /var/log/samba/%m.log
   max log size = 100
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no
   idmap backend = tdb
   idmap uid = 1000000 - 1999999
   idmap gid = 1000000 - 1999999
#   idmap config DOMAIN : backend = ad
#   idmap config DOMAIN : readonly = yes
#   idmap config DOMAIN : range = 5000 - 999999
#   idmap config DOMAIN : schema_mode = rfc2307
   allow trusted domains = No
   winbind use default domain = true
   winbind offline logon = false
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind nested groups = Yes
   winbind nss info = rfc2307

But if I uncomment those four lines, and restart smb and winbind, and run
"net cache flush," it breaks completely. Syslog shows this for an SSH
Jun 20 15:47:16 happytobehere sshd[12021]: Invalid user XXX from
Jun 20 15:47:16 happytobehere sshd[12024]: input_userauth_request: invalid
user XXX
Jun 20 15:48:23 happytobehere sshd[12021]: pam_unix(sshd:auth): check pass;
user unknown
Jun 20 15:48:23 happytobehere sshd[12021]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
Jun 20 15:48:23 happytobehere sshd[12021]: pam_succeed_if(sshd:auth): error
retrieving information about user rrue
Jun 20 15:48:25 happytobehere sshd[12021]: Failed password for invalid user
XXX from XX.YY.YY.ZZ port 62180 ssh2

I get similar errors in syslog if I try it from the console:
Jun 20 15:53:31 happytobehere login: pam_unix(login:auth): check pass; user
Jun 20 15:53:31 happytobehere login: pam_succeed_if(login:auth): error
retrieving information about user XXX
Jun 20 15:53:33 happytobehere login: FAILED LOGIN 3 FROM (null) FOR XXX,
User not known to the underlying authentication module

If I run wbinfo I get users and groups back. But "getent" doesn't return AD
users or groups any more. Uncommenting those lines somehow breaks the
machine's ability to query the AD for users and groups.

So I think I've eliminated other factors and have narrowed this down to the
few lines controlling the ad backend for idmap. But I'm stumped on what
those lines need to say.

One question that I think I've already asked here but I don't think anyone
has answered. To confirm: I DON'T need to install SFU or any schema
extensions to my AD if I'm running 2K8R2, right? I should be able to do this
against the native AD?

Hope to hear from you.

Randy Rue

More information about the samba mailing list