[Samba] idmap weirdness - wildcard values being used instead of rfc2307 AD values

Doug Meredith doug.meredith at skyridge.com
Thu Oct 30 06:36:30 MDT 2014

Hi Peter,

Thanks for the quick reply.

On Thu, Oct 30, 2014 at 8:54 AM, Peter Serbe <peter at serbe.ch> wrote:

> Doug Meredith schrieb am 30.10.2014 12:29:
> > "getent passwd doug" returns:
> >
> > doug:*:70003:70005:Doug Meredith:/home/DSTRC/doug:/bin/false
> I presume this is "getent passwd" on the member server...
> Does "getent passwd" on the DC work in the right manner?
Yes, the "getent" output was from the member server.  No, "getent passwd"
doesn't work on the DC, but I've never bothered to do the nsswitch config
there.  My understanding is that the winbind implementation on a DC is
completely different code than the winbindd implementation that runs on a
member server, so I figured there wasn't much point in experimenting on the
DC.  Is my thinking flawed?

> > Platform is FreeBSD 10 and I'm using Samba 4.1.13.   Full smb.conf is
> > bellow.
> This configuration looks OK.
> Is the nsswitch.conf also OK?

nsswitch.conf on the member server:

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

> Does wbinfo -p/u/g work?

wbinfo -p/u/g all work fine on the member server.

> Kerberos kinit/klist OK?

I am not able to authenticate using kinit on the memberserver, probably
because I've never done any Kerberos configuration on the host.  Given that
the file server is able to look up data in AD, and is able to authenticate
users over SMB, I had assumed that I didn't need to do any explicit
Kerberos setup.

> Furthermore the smb.conf on the DC: ist rfc2307 working?

The DCs are Debian running Sernet Samba 4.1.12.  Here is the DC smb.conf:

        workgroup = DSTRC
        realm = dstrc.org
        netbios name = DC1
        server role = active directory domain controller
        #dns forwarder =
        idmap_ldb:use rfc2307 = yes
        printcap name = /dev/null
        load printers = no
        disable spoolss = yes
        printing = bsd
        server services = -dns

        path = /var/lib/samba/sysvol/dstrc.org/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

        path = /admin
        read only = No

Do You see the rfc2307 fake yp_server in ldb (as described in the wiki)?
The only thing I could find on the wiki about this was in the "AD DC HOWTO"
and it was in the output from provisioning.


More information about the samba mailing list