[Samba] idmap problems after update from 3.0.33 to 3.6.6
rowlandpenny at googlemail.com
Thu Nov 7 07:31:14 MST 2013
On 07/11/13 13:24, Thomas Attenberger wrote:
> 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>>
> On 07/11/13 12:04, Thomas Attenberger wrote:
> Hi again,
> we want to keep the tdb method.
> After many ours of reading and searching, I have still no idea
> what can be
> Actually I'm hanging here:
> wbinfo -n newuser (is working)
> wbinfo -s newusersid (is working)
> wbinfo -S newusersid
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid xxx to uid
> If I take a look in the winbindd_idmap.tdb the newuser is not
> Has anyone some idea, what can be wrong?
> 2013/10/23 steve <steve at steve-ss.com <mailto:steve at steve-ss.com>>
> On Wed, 2013-10-23 at 15:21 +0200, Thomas Attenberger wrote:
> Thanks for your help.
> How can I manually populate the rfc2307 attributes?
> Before I tried it with "backend = ad", but then
> "wbinfo -u" lists only
> local users.
> Now it seems, there's no difference between using ad
> or tdb.
> Do I really need to use rfc2307 mode? Before I was
> running samba 3.0
> without it...
> What can I do now?
> I can't help with the tdb method but your smb.conf is good
> to go for the
> ad backend. To use it, you will have to add the rfc2307
> attributes to
> the 2008 box somehow. You can add e.g. uidNumber number to
> users under
> the Unix tab on ADUC on your existing DC.
> Another good way to get the attributes would be to join a
> Samba4 machine
> to the domain as another DC. It's then a simple matter to
> wrap a script
> around ldbmodify to dump the attributes into AD from that
> box and let
> replication do the rest.
> Do you have a lot of users?
> You are using RFC2307 on the clients, but do you have the users
> RFC2307 info in AD? (msSFU30NisDomain, msSFU30Name, uidNumber,
> gidNumber, loginShell, unixHomeDirectory, uid).
> If you want to get all the RFC2307 info from AD using Samba, then
> the machine needs to joined to the domain (like a windows pc) and
> you need to use something to pull this info, with winbind this
> means 'backend = ad', but you can use sssd or nslcd.
> No, I don't use RFC2307. Here is my actual smb.conf:
> workgroup = ATRON
> realm = ATRON.LOCAL
> security = ADS
> ldap ssl = off
> preferred master = no
> server string = %h
> log file = /var/log/samba/smb.log.%m
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind separator = +
> idmap config *:backend = tdb
> idmap config *:range = 3000-4000
> idmap config ATRON:backend = tdb
> idmap config ATRON:range = 10000-20000
> winbind use default domain = Yes
> template shell = /bin/bash
> username map = /etc/samba/smbusers
So, you are connecting to an AD server and presumably getting the users
authentication from said server, just where do think that you are going
to get the rest of the users info from?
More information about the samba