[Samba] idmap problems after update from 3.0.33 to 3.6.6
Thomas Attenberger
thomas.attenberger at gmx.net
Thu Nov 7 06:24:21 MST 2013
2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>
> On 07/11/13 12:04, Thomas Attenberger wrote:
>
>> Hi again,
>>
>> we want to keep the tdb method.
>> After many ours of reading and searching, I have still no idea what can be
>> wrong.
>> Actually I'm hanging here:
>>
>> wbinfo -n newuser (is working)
>> wbinfo -s newusersid (is working)
>> wbinfo -S newusersid
>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not convert sid xxx to uid
>>
>> If I take a look in the winbindd_idmap.tdb the newuser is not listed.
>>
>> Has anyone some idea, what can be wrong?
>>
>> Regards
>> Thomas
>>
>>
>> 2013/10/23 steve <steve at steve-ss.com>
>>
>> On Wed, 2013-10-23 at 15:21 +0200, Thomas Attenberger wrote:
>>>
>>>> Thanks for your help.
>>>>
>>>>
>>>> How can I manually populate the rfc2307 attributes?
>>>>
>>>>
>>>> Before I tried it with "backend = ad", but then "wbinfo -u" lists only
>>>> local users.
>>>> Now it seems, there's no difference between using ad or tdb.
>>>>
>>>>
>>>> Do I really need to use rfc2307 mode? Before I was running samba 3.0
>>>> without it...
>>>>
>>>>
>>>> What can I do now?
>>>>
>>> Hi
>>> I can't help with the tdb method but your smb.conf is good to go for the
>>> ad backend. To use it, you will have to add the rfc2307 attributes to
>>> the 2008 box somehow. You can add e.g. uidNumber number to users under
>>> the Unix tab on ADUC on your existing DC.
>>>
>>> Another good way to get the attributes would be to join a Samba4 machine
>>> to the domain as another DC. It's then a simple matter to wrap a script
>>> around ldbmodify to dump the attributes into AD from that box and let
>>> replication do the rest.
>>>
>>> Do you have a lot of users?
>>> Steve
>>>
>>>
>>>
>>> You are using RFC2307 on the clients, but do you have the users RFC2307
> info in AD? (msSFU30NisDomain, msSFU30Name, uidNumber, gidNumber,
> loginShell, unixHomeDirectory, uid).
> If you want to get all the RFC2307 info from AD using Samba, then the
> machine needs to joined to the domain (like a windows pc) and you need to
> use something to pull this info, with winbind this means 'backend = ad',
> but you can use sssd or nslcd.
>
> Rowland
>
No, I don't use RFC2307. Here is my actual smb.conf:
workgroup = ATRON
realm = ATRON.LOCAL
security = ADS
ldap ssl = off
preferred master = no
server string = %h
log file = /var/log/samba/smb.log.%m
winbind enum users = Yes
winbind enum groups = Yes
winbind separator = +
idmap config *:backend = tdb
idmap config *:range = 3000-4000
idmap config ATRON:backend = tdb
idmap config ATRON:range = 10000-20000
winbind use default domain = Yes
template shell = /bin/bash
username map = /etc/samba/smbusers
Regards
Thomas
More information about the samba
mailing list