[Samba] Samba4 and idmap_ad

steve steve at steve-ss.com
Tue Aug 12 02:36:31 MDT 2014 

On Tue, 2014-08-12 at 07:35 +0000, Ollenburg, Andreas (KRZ) wrote:
> 
> Error verifying signature: parse
> error
> Hello everyone,
> 
> I have a - maybe only cosmetical - problem. I am currently configuring two SLES servers running Samba4 as member servers in a Windows2008/2012-AD. (Yeah, poor us!) Everything went fine: installing the samba packages, getting Kerberos running, and joining the AD. But when I use id or wbinfo now to get user information I get lots of groups which cannot be mapped a GID and thus are displayed as -1 or 4294967295:
> 
> id DOMAIN\\USER
> uid=3611(DOMAIN\\USER) gid=3000(DOMAIN\\PRIMARYGROUP) groups=3000(DOMAIN\\PRIMARYGROUP),3001(DOMAIN\\OTHERGROUP),4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,2(daemon)
> 
> wbinfo -r DOMAIN\\USER
> 3000
> 3001
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> 2
> 
> On another server running Samba3 only the two groups with GID 3000 and 3001 are shown.
> 
> Here are excerpts from my smb.conf:
> 
> [global]
>         realm = OUR.DOMAIN.NAME
>         workgroup = DOMAIN
>         security = ads
>         idmap config *:backend = tdb
>         idmap config *:range = 100000-199999
>         idmap config NTKRZ:backend = ad
>         idmap config NTKRZ:schema_mode = rfc2307
>         idmap config NTKRZ:range = 1000-19999
>         winbind nss info = rfc2307
>         winbind trusted domains only = No
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = No
>         winbind nested groups = Yes
>         winbind refresh tickets = Yes
>         winbind offline logon = No
> 
> Any ideas anyone?
> 
> Thanks in advance and greetings from Germany
>  Andreas
> 
> 
> 
> --NetatworkMailGateway_e25c4c1f-d9a4-4579-a903-bab2520e63c3--

Yeah, don't we know the feeling. The winbind from openSUSE 13.1 is a
little better and if you're not tied to the contract stranglehold,
building from clean samba source would allow you to dust away the
cobwebs and breath fresh air once again.

If you're under contract, please do share (off list) your experiences
when you call support;)
Cheers,
Steve

More information about the samba mailing list