[Samba] Winbind does not read uidNumber

Lars Hanke debian at lhanke.de
Sun Jun 29 05:01:30 MDT 2014

Well, seems like I hit every mudhole that could be on the way ...

root at samba4:/# getent passwd | grep mgr
mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash
root at samba4:/# ldapsearch -LLL -D 
"CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)' 
uid uidNumber gidNumber sAMAccountName name gecos
Enter LDAP Password:
dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
name: Lars LH. Hanke
sAMAccountName: mgr
uid: mgr
uidNumber: 1001
gidNumber: 1001
gecos: Dr. Lars Hanke

root at samba4:/# grep mgr /etc/passwd
root at samba4:/#

So although proper POSIX information is in the AD, and no local 
information present, winbind rolls dice for POSIX attributes. The 
situation seems similar to that of Rowland and Derek Werthmuller last 
December. There finally, Rowland suggested to use sssd.

My smb.conf:

         workgroup = AD
         realm = AD.MICROSULT.DE
         security = ADS
         restrict anonymous = 2
         kerberos method = system keytab
         os level = 0
         local master = No
         domain master = No
         template shell = /bin/bash
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         idmap config * : range = 10000-20000
         idmap config AD: backend = ad
         idmap config AD: range = 1001 - 2000
         idmap config * : backend = tdb

Interestingly the bahaviour is no different, if I simply put idmap uid 
and idmap gid lines instead of the more detailed config.

And, if you doubt that I'm querying the right LDAP:

root at samba4:/# cat /etc/ldap/ldap.conf
BASE    DC=ad,DC=microsult,DC=de
URI     ldap://samba.ad.microsult.de:3268
TLS_CACERT      /etc/certs/cacert.pem

BTW: administrator neither maps to 0!

Moreover, I largely folled the Debian Wiki 
https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory. In their 
setup uids get prefixed by %D+. Unsure which I like better, but it's a 
least an observation.

samba4 runs vanilla Debian Wheezy, i.e. samba 3.6.6. If this is a 
_known_ issue with that version, I readily update to backports 4.1.7. 
Otherwise, I have some reasons to explore the old version for a while.

Thanks for your help,
- lars.

More information about the samba mailing list