[Samba] idmap ad group lookup

Feustel, Thomas tf at ksh.com
Thu May 9 04:30:36 MDT 2013

Whe have a Active Directory with the SFU2307 Unix extensions running.
The user authentication is running fine against the Active Directorty, for this why are using the "ad" idmap backend.

The only problem that are not running is, that "getent group" are only shows the local linux groups and no Actvie Directory Groups with a GID.

"wbinfo -g" and "wbinfo -G" are working fine.

Why are using Samba 3.6.15 on a Ubuntu 64 Bit machine.
It seems so that this problem is existing since the idmap syntax on the samba config has changed.

I have also create a trace for this problem, and it seems that winbind try's to get a GID from a windows group, that have no mapping, so he breaks on the first fail up.

Why have only mapped the "domain users" group and some one create groups.


   security = ADS
   panic action = /usr/share/samba/panic-action %d
   workgroup = INT
   realm = INT.TMG
   socket options = TCP_NODELAY
   interfaces = eth0
   bind interfaces only = true
   printing = cups
   printcap name = cups
   load printers = no
   wins server =,

        winbind cache time = 604800
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        idmap alloc config:range = 5000 - 9999
        idmap config INT : schema_mode = rfc2307
        idmap config INT : range = 10000 - 300000000
        idmap config INT : default = yes
        idmap config INT : backend = ad
        idmap config * : backend = ad
        idmap config * : schema_mode = rfc2307
        idmap config * : range = 10000 - 300000000
        admin users = int\administrators

Winbind Trace output:
accepted socket 24
[ 3851]: request interface version
[ 3851]: request location of privileged pipe
accepted socket 27
closing socket 24, client exited
[ 3851]: getgrent
child daemon request 59
Finished processing child request 59
child daemon request 59
Current tickets expire in 35986 seconds (at 1368130999, time is now 1368095013)
Search for (&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00Y\12\88r\CB3Q\0FQA\97\1C\04\02\00\00))) in <dc=INT,dc=TMG> gave 1 replies
Could not get unix ID
Finished processing child request 59
getgrent failed: NT_STATUS_NONE_MAPPED
closing socket 27, client exited

Thanks for your help.



More information about the samba mailing list