[Samba] centos 6.5 sernet-samba 4.1.6 member server winbind idmap fail

Thu Apr 10 03:20:29 MDT 2014

Hi everybody,

I've searched deeply into the samba wiki and the list for some working 
examples, but I cannot find my way out, I'm a kind of rough samba user 
(let's say almost newbie).. so asking help here:

This is my setup:

DC (samba.my.domain.com <http://samba.my.domain.com/>): CentOS 6.5 with 
sernet-samba 4.1.6 started in "ad" mode
(upgraded successfully from early 4.0.5, working fine with windows 
clients and servers, deployed with rfc2307, wbinfo and getent working fine)

MEMBER (files.my.domain.com <http://files.my.domain.com/>): Centos 6.5 
with sernet-samba 4.1.6 started in "classic" mode
(successfully joined with net ads join, dns updated correctly and host 
is able to resolv domain names, followed the howto on samba wiki, tried 
also by installing from source with parameters suggested in but with no 
luck)

NOTE: disabled iptables and selinux in this test environment
NOTE: created testuser and testgroup with windowsRSAT (AD 
users&computers) and filled the UNIX attributes tab.. so I suppose at 
least for that 2 user and group I have correctly set UID GID

____________________config files_______________________________

##############/etc/samba/smb.conf
[global]

    workgroup = MY
    security = ADS
    realm = MY.DOMAIN.COM

    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config MY:backend = ad
    idmap config MY:schema_mode = rfc2307
    idmap config MY:range = 500-40000

    winbind nss info = rfc2307

[test]
    path = /condivisioni/test
    read only = no

#################/etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = MY.DOMAIN.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true

[realms]
MY.DOMAIN.COM = {
   kdc = samba.my.domain.com
   admin_server = samba.my.domain.com }

[domain_realm]
  .my.domain.com = MY.DOMAIN.COM
my.domain.com = MY.DOMAIN.COM

#################/etc/nsswitch.conf (edited lines)
passwd:     files winbind
group:      files winbind

________________________________________________________

~> wbinfo -p
~> wbinfo -u
~> wbinfo -g
~> wbinfo -n testuser

return expected output

~> getent passwd
~> getent group

return only local unix users and groups

~> wbinfo -i testuser
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user testuser
~> wbinfo --group-info testgroup
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group testgroup

on DC getent is working correctly and also wbinfo -i:
~> wbinfo -i testuser
MY\testuser:*:10000:100:testuser:/home/MY/testuser:/bin/false
~> wbinfo --group-info testgroup
MY\testgroup:*:10000:
~> wbinfo -i marco
MY\marco:*:3000043:100:Marco:/home/MY/marco:/bin/false
~> wbinfo --group-info "domain users"
MY\Domain Users:*:100:

... any suggestions?
... I've searched the /vat/log/samba logs but can't find anythig 
relevant there about errors? should I look somewhere else?
... would it be better do add this MEMBER as a DC with samba tool? any 
gotchas in doing so?
... I read many times Steve and Rowland suggesting sssd over winbind.. 
I've tried to configure it but without success either (quite frustrated :( )

thanks

-- 

Lorenzo Faleschini
IT Manager @ Nord Est Systems srl
----------------------------------------
m: +39 335 6055225 | skype: falegalizeit