[Samba] Samba 4.1 Member Server and Winbind

Andrey Repin anrdaemon at yandex.ru
Wed Apr 22 05:56:58 MDT 2015

Greetings, Peter Ross!

> for a while I am running a Samba 4.1 AD server under FreeBSD (from the
> FreeBSD ports). At thw moment the domain has ca. 20 Windows 7 desktops.

> I wanted to add a Samba 4.1 file server as a member server, was able to 
> joint the domain and see AD users via "winbind -u"

> but "getent password" or "id <user>" does not work.

Sounds quite familiar...

> The smb4.conf is following

> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

> I added RFC2307 attributes to the AD server according to

> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC

> and installed RSAT on a Windows 7 desktop. I can see and manipulate "Unix 
> Attributes" (giving UIDs/GIDs from 10000 upwards) and see them in the LDAP 
> dump.

> In /etc/nsswitch.conf I have

> passwd: compat winbind
> group: compat winbind

> To the library.. the port installed

>      nss_winbind.so.1

> but it did not appear in "ldconfig -r".. Just for the purpose of testing I 
> moved it to

>      libnss_winbind.so.1

> so ldconfig finds it.. Is this a bug? Someting to do with 
> https://bugzilla.samba.org/show_bug.cgi?id=9704 ?

To know if this is a bug or not, increase logging level for winbind (to 3 at
least) and see if it at all tries to resolve the names.
For idmap to work, both users and their primary groups need to have correct
uid/gid assigned, and uid/gid needs to be in range specified by idmap config
for domain.

To see the list of all assigned uid/gid
ldbsearch -s sub -H /var/lib/samba/private/sam.ldb '(|(gidnumber=*)(uidnumber=*))' gidnumber uidnumber | grep -i "^.idnumber" | cut -d" " -f 2 | sort -un

Ignore uid 0 and 65534, though.

> Anyway, no getent entries, no id..

> Here the smb4.conf:

> [global]

>     workgroup = DOMAIN
>     security = ADS
>     realm = DOMAIN.FDA
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab

>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     idmap config DOMAIN:backend = ad
>     idmap config DOMAIN:schema_mode = rfc2307
>     idmap config DOMAIN:range = 10000-99999

>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
>     winbind refresh tickets = Yes
>     winbind expand groups = 4
>     winbind normalize names = Yes

> ..

> Do you have any advice which could help me to get it working?

With best regards,
Andrey Repin
Wednesday, April 22, 2015 14:51:22

Sorry for my terrible english...

More information about the samba mailing list