[Samba] Winbind does not read uidNumber

steve steve at steve-ss.com
Sun Jun 29 05:41:53 MDT 2014 

On Sun, 2014-06-29 at 13:01 +0200, Lars Hanke wrote:
> Well, seems like I hit every mudhole that could be on the way ...
> 
> root at samba4:/# getent passwd | grep mgr
> mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash
> root at samba4:/# ldapsearch -LLL -D 
> "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)' 
> uid uidNumber gidNumber sAMAccountName name gecos
> Enter LDAP Password:
> dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
> name: Lars LH. Hanke
> sAMAccountName: mgr
> uid: mgr
> uidNumber: 1001
> gidNumber: 1001
> gecos: Dr. Lars Hanke
> 
> root at samba4:/# grep mgr /etc/passwd
> root at samba4:/#
> 
> So although proper POSIX information is in the AD, and no local 
> information present, winbind rolls dice for POSIX attributes.
lol! Do you have any local cache? nscd is often a culprit here. flush
the winbind tdb too:
 net cache flush
check that winbind registers on the DC when you start it.
>  The 
> situation seems similar to that of Rowland and Derek Werthmuller last 
> December. There finally, Rowland suggested to use sssd.
> 
OK, make a decision. If it doesn't work this time, try the latter.

> My smb.conf:
> 
> [global]
>          workgroup = AD
>          realm = AD.MICROSULT.DE
>          security = ADS
>          restrict anonymous = 2
>          kerberos method = system keytab
>          os level = 0
>          local master = No
>          domain master = No
>          template shell = /bin/bash
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          idmap config * : range = 10000-20000
>          idmap config AD: backend = ad
>          idmap config AD: range = 1001 - 2000
		 idmap config AD: range = 1000-2000 #lose the spaces and change the
range just to be sure 
> 		
>          idmap config * : backend = tdb

> Interestingly the bahaviour is no different, if I simply put idmap uid 
> and idmap gid lines instead of the more detailed config.
> 
> And, if you doubt that I'm querying the right LDAP:
> 
> root at samba4:/# cat /etc/ldap/ldap.conf
> BASE    DC=ad,DC=microsult,DC=de
> URI     ldap://samba.ad.microsult.de:3268
> TLS_CACERT      /etc/certs/cacert.pem
> 
> BTW: administrator neither maps to 0!
It only maps to 0 is if you configure it to do so.

More information about the samba mailing list