[Samba] Winbind question

Mon Aug 11 09:00:23 MDT 2014

Have you edited "/etc/nsswith.conf" and set passwd and group to use 
winbind? Mine is below. Also, have you joined the member server with 
"net ads join -U<domain admin name>"?

passwd:         compat winbind
group:          compat winbind
shadow:         compat

On 08/11/2014 10:57 AM, Bruno MACADRÉ wrote:
> wbinfo -u works but not wbinfo -i....
>
> Le 11/08/2014 16:55, Ryan Ashley a écrit :
>> Did you start the winbind, nmbd, and smbd services? If winbindd is 
>> not running, you cannot use wbinfo.
>>
>> On 08/11/2014 10:54 AM, Bruno MACADRÉ wrote:
>>> Nice, for me it's not so cool.... ad beckend works and winbind list 
>>> users but if I want infos about it I get a 
>>> 'WBC_ERR_DOMAIN_NOT_FOUND' error..... I must search again.....
>>>
>>>
>>> Le 11/08/2014 16:51, Ryan Ashley a écrit :
>>>> THAT DID IT! I am now pulling the correct ID's! I spent weeks on 
>>>> this and kept thinking it was configuration files or a bug. Man, I 
>>>> owe you dinner if you're ever in the states!
>>>>
>>>> On 08/11/2014 10:47 AM, Ryan Ashley wrote:
>>>>> My thoughts are the same. I am rebuilding Samba on my member 
>>>>> server now using the parameter you mentioned. I did a full rebuild 
>>>>> from scratch, but I will let you know if it works when it 
>>>>> finishes. My fingers are crossed!
>>>>>
>>>>> On 08/11/2014 10:45 AM, Bruno MACADRÉ wrote:
>>>>>> I think only members 'cause it's only on it we have the message 
>>>>>> 'can't load ad backend'
>>>>>>
>>>>>> Le 11/08/2014 16:37, Ryan Ashley a écrit :
>>>>>>> I have not seen that mentioned in my 121 posts about this issue. 
>>>>>>> Does that need to be enabled on the DC and members or just members?
>>>>>>>
>>>>>>> On 08/11/2014 10:35 AM, Bruno MACADRÉ wrote:
>>>>>>>> Nice clue,
>>>>>>>>
>>>>>>>> I quickly research in my tutorial and see that I forget an 
>>>>>>>> option on my configure line :
>>>>>>>>
>>>>>>>> --with-shared-modules=idmap_ad
>>>>>>>>
>>>>>>>> I recompile my samba and retry... I come back when finished
>>>>>>>>
>>>>>>>> Le 11/08/2014 16:30, Ryan Ashley a écrit :
>>>>>>>>> I forgot to tell you, if you are pulling from the TDB range, 
>>>>>>>>> your ID numbers will NOT be the same across member servers. 
>>>>>>>>> That is what I have been working on for a month now. I have 
>>>>>>>>> two member servers and they keep pulling from the TDB range, 
>>>>>>>>> causing a user to have an ID of 70001 on one member server but 
>>>>>>>>> 70004 on the other. Both servers claim they cannot probe the 
>>>>>>>>> idmap ad module.
>>>>>>>>>
>>>>>>>>> On 08/11/2014 10:21 AM, Bruno MACADRÉ wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I successfully set up an AD DC, and now, I want to join a 
>>>>>>>>>> file server as member in this domain.
>>>>>>>>>>
>>>>>>>>>> I followed this tutorial : 
>>>>>>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>>>>>>>
>>>>>>>>>> All works fine, my server join my AD without problem, samba 
>>>>>>>>>> starts fine and winbind too. But when I look at my domain 
>>>>>>>>>> users, the uid/gid returned by winbind are in the TDB range 
>>>>>>>>>> instead of the AD range.....
>>>>>>>>>>
>>>>>>>>>> This is my smb.conf :
>>>>>>>>>> [global]
>>>>>>>>>>
>>>>>>>>>>    netbios name = filzen
>>>>>>>>>>    workgroup = SAMDOM
>>>>>>>>>>    security = ADS
>>>>>>>>>>    realm = SAMDOM.FR
>>>>>>>>>>    encrypt passwords = yes
>>>>>>>>>>
>>>>>>>>>>    log level = 10
>>>>>>>>>>
>>>>>>>>>>    template homedir = /home/%U
>>>>>>>>>>    template shell = /bin/bash
>>>>>>>>>>
>>>>>>>>>>    winbind use default domain = yes
>>>>>>>>>>    winbind enum users  = yes
>>>>>>>>>>    winbind enum groups = yes
>>>>>>>>>>
>>>>>>>>>>    idmap config SAMDOM:backend = ad
>>>>>>>>>>    idmap config SAMDOM:range = 20001-70000
>>>>>>>>>>    idmap config SAMDOM:default = yes
>>>>>>>>>>    idmap config *:backend = tdb
>>>>>>>>>>    idmap config *:range = 70001-80000
>>>>>>>>>>
>>>>>>>>>> If I type :
>>>>>>>>>> # wbinfo -i administrator
>>>>>>>>>>
>>>>>>>>>> I get :
>>>>>>>>>> administrator:*:70001:70001::/home/administrator:/bin/bash
>>>>>>>>>>
>>>>>>>>>> If I create a user (foo) and trying to obtain his informations :
>>>>>>>>>> # wbinfo -i foo
>>>>>>>>>>
>>>>>>>>>> I get:
>>>>>>>>>> foo:*:70002:70001::/home/foo:/bin/bash
>>>>>>>>>>
>>>>>>>>>> Why winbind doen't use AD range instead of TBD range ? And 
>>>>>>>>>> even if I must use TDB range is there a certainty that this 
>>>>>>>>>> uid/gid are the same over all members ?
>>>>>>>>>>
>>>>>>>>>> Another clue : If I use SAMDOM:backend = rid the users 
>>>>>>>>>> receive a uid/gid in SAMDOM range and not in TDB range (maybe 
>>>>>>>>>> a bug in ad backend ?)
>>>>>>>>>>
>>>>>>>>>> Thanks for any answers
>>>>>>>>>> Regards,
>>>>>>>>>> Bruno.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>