[Samba] Winbind Issues with Server 2003/2008

Nathan Frankish nfrankish at qldmotorways.com.au
Sun Mar 11 18:17:26 MDT 2012 

Good morning all,

 

I really hate emailing lists, but I've come to a wall that I just cant
work out how to get past at the moment, so am hoping for some community
assistance if possible.

 

Some background:

We are running Windows Server 2003 on all of our domain controllers, and
are in the middle of migrating to server 2008 R2. We have unix exentions
enabled (rfc2307 I believe), and manage all of our uids/shell/home via
this. 

 

Our linux servers are a mix of RHEL 5.1, 5.4 and 5.5.

 

We were using Samba 3.0.33-3.29.el5_5.1 or equivalent on most of our
servers, but we hit a stone wall when trying to get them to co-exist
with a domain controller that was running Server 2008.

So we upgraded to the redhat package Samba3x which I believe is 3.3.8 on
some of the hosts and 3.5.10 on the others.

 

However then we hit the snafu that the servers running samba3x wouldn't
talk to the domain controllers running server 2003 still.  To combat
that, we null routed the server 2003 servers, and only let the Linux
servers talk to AD servers running 2008.

This was working fine, except that some servers stopped being able to
run "getent passwd" or "getent group" and would just return nothing from
winbind.

 

As a test, I converted over to RID as the idmap backend away from ADS,
and this appears to have almost worked perfectly. Except now that a
users UID isn't being returned from the AD unixattributes tab, but
instead has what I assume is the RID ID for the user. Other attributes
seem to be coming down ok

 

For example on a production host that is still running samba 3.0.33,
returns:

[nathan_adm at qbtdbsprd01 ~]$ getent passwd nathan_adm

nathan_adm:*:310:900:Nathan Frankish -
Admin:/unixshared/home/nathan_adm:/bin/bash

 

But on an upgraded host its returning

[root at qdrbinppz01 ~]# getent passwd nathan_adm

nathan_adm:*:9071:900:Nathan Frankish -
Admin:/unixshared/home/nathan_adm:/bin/bash

 

 

Likewise with group look ups, im getting simular results.

 

Ive tried converting back to ADS from RID to see if that will help, but
after updating smb.conf and restarting winbind, it still appears to be
getting its info from RID and not from ADS.  Below I have two config
files.. One of the upgraded hosts, one of the not upgraded hosts. 

 

Is there any way I can rid to do what I want? Or get ADS to play nicely
on the domain? Or should I just convert to RID entirely and fix all the
users permissions on directories etc

 

**upgraded hosts config**

#======================= Global Settings
=================================

[global]

interfaces = 10.8.52.0/24 10.8.57.0/24 10.30.52.0/24 10.8.78.0/24
10.8.0.0/22 10.30.0.0/22 10.8.103.0/24

bind interfaces only = yes

workgroup = QLDMOTORWAYS

local master = no

passdb backend = tdbsam

password server = QB2DC-PRD01.QLDMOTORWAYS.COM.AU

realm = QLDMOTORWAYS.COM.AU

domain master = no

local master = no

preferred master = no

os level = 0

server string = qdrbinppz01 Linux server

security = ads

encrypt passwords = yes

log level = 3

log file = /var/log/samba/%m

max log size = 50

idmap backend = ad

idmap uid = 100-200

idmap gid = 100-200

idmap config QLDMOTORWAYS : schema_mode  =rfc2307

idmap config QLDMOTORWAYS : backend = ADs

idmap config QLDMOTORWAYS : range =  300-2000000

winbind separator = +

template shell = /bin/bash

winbind enum users = yes

winbind enum groups = yes

winbind use default domain = yes

winbind nested groups = yes

winbind nss info = rfc2307

winbind cache time = 1

load printers = no

printing = bsd

printcap name = /dev/null

disable spoolss = yes

 

 

**non upgraded host**

#======================= Global Settings
=================================

[global]

workgroup = QLDMOTORWAYS

local master = no

passdb backend = tdbsam

password server = *

realm = QLDMOTORWAYS.COM.AU

domain master = no

local master = no

preferred master = no

os level = 0

server string = qbtdbsprd01 Linux server

security = ads

encrypt passwords = yes

log level = 3

log file = /var/log/samba/%m

max log size = 50

idmap backend = ad

idmap uid = 100-2000000

idmap gid = 100-2000000

winbind separator = +

template shell = /bin/bash

winbind enum users = yes

winbind enum groups = yes

winbind use default domain = yes

winbind nested groups = yes

winbind nss info = rfc2307

winbind cache time = 1

load printers = no

printing = bsd

printcap name = /dev/null

disable spoolss = yes

 

Much appreciate any help that can be provided..

 

 

Nathan Frankish  |  Systems Engineer

More information about the samba mailing list