[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?

john_s lists.john at gmail.com
Tue Apr 21 12:53:02 MDT 2015 

On 04/20/2015 02:01 PM, Rowland Penny wrote:

>
> I would suggest you try it on a test set up in a VM and if it works, go
> to production.
>
> Rowland
>

Hi Rowland,

Ok, I think I am pretty close. Still using Samba 3.3.6 since I couldn't 
seem to get Samba 4 to work from backports.

My sticking point right now is that winbind is mapping the wrong UID to 
my test user. I've setup the NIS domain in AD to correspond to my 
smb.conf file and I've *think* i've correctly specified that UIDs should 
start at 10000, however when I id a domain user, the mapping starts at 
2000. I assume this means that winbind thinks that the user doesn't 
exist in the domain. Wbinfo -u and wbinfo -g work as expected


  wbinfo -n flyboy
S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)

root at debian-tester:~# id flyboy
uid=2000(DEBIAN-TESTER\nobody) gid=2006(domain_users) 
groups=2001(DEBIAN-TESTER\none),2006(domain_users),2007(student_terminal_server),2008(all_students_users),2009(mcm_students),2010(students),2011(chromebooks),2012(2020)


root at debian-tester:~# getent passwd flyboy
flyboy:*:2000:2006:flyboy:/home/flyboy:/bin/sh

getent group "domain users"
domain_users:x:2006:gcallison

Here's my smb.conf file

[global]


    workgroup = VANGUARD
    security = ADS
    realm = VANGUARD.MYDOMAIN.ORG
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config VANGUARD:backend = ad
    idmap config VANGUARD:schema_mode = rfc2307
    idmap config VANGUARD:range = 10000-99999

    log level = 1 idmap:10
    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
    winbind refresh tickets = Yes
    winbind expand groups = 4
    winbind normalize names = Yes
    domain master = no
    local master = no
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
[ALLSTUDENTS]

  path = /home/ALLSTUDENTS
      # valid users = %S
       readonly = no
       writable = yes
       printable = no
       create mode = 0700
       directory mode = 0700

I turned up the logs for idmap, here's what I see:

log.winbindd-idmap:  idmap range not specified for domain DEBIAN-TESTER
log.winbindd-idmap:  gid [0] not mapped
log.winbindd-idmap:  idmap backend ad not found
log.winbindd-idmap:  gid [65534] not mapped
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-501 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-513 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-546 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-501 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-513 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-546 not found
log.winbindd-idmap:  uid [0] not mapped


Thanks for all of your help!

John

More information about the samba mailing list