[Samba] [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)

a.braml at buerger-energie-berlin.de a.braml at buerger-energie-berlin.de
Wed Jan 28 15:25:11 MST 2015


Am 28.01.2015 21:21, schrieb Rowland Penny:
> On 28/01/15 19:56, "Andreas Braml (BürgerEnergie Berlin)" wrote:
>> [...]
>> But when I take the "known good" smb.conf to a fresh FreeBSD client
>> installed from scratch, adjusting the netbios name and then doing the
>> join, the behavior stays the same: backend rid works, ad does not.
> Very strange, but just one thing, you don't actually have to set the
> netbios name in smb.conf.

In the known good smb.conf I left it out already. Maybe amend the Wiki 
accordingly, i.e. put in a note that you can leave out some parameters, 
they are defaults anyway (winbind trusted domains only = no is even

> It might help if you post your smb.conf.

Here goes:

    workgroup = TEST
    security = ADS
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    idmap config *:backend = tdb
    idmap config *:range = 70000-99999
    idmap config TEST:backend = ad
    idmap config TEST:schema_mode = rfc2307
    idmap config TEST:range = 100000-2000000

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = yes

    path = /usr/local/share/test
    read only = no

>> There seems to be a problem with FreeBSD as a member server after all.
> Possibly
>> And I will check with Ubuntu 12.04 again.

Which might take a while, figuring our where to put compiled binaries 
The stock packages are too old (no libnss-winbind for starters) and I 
feel like registering at SerNet.
But I have a hunch that this was why it didn't work back then - me too 
not putting libs in the right directory or something like that.

> [...]
>> At one point I thought that this might be the problem - so long as
>> there's only even one single group/user that doesn't have a 
>> [gu]idNumber
>> set, it wouldn't work. That assumption was wrong, obviously. But it
>> didn't hurt either with the hunt for the problem at hand.
> If you use the 'ad' backend, winbind will only pull users & groups
> that have a uidNumber or gidNumber, these numbers need to be inside
> the range set in smb.conf, any other users are ignored.

Like it say in the manpage. But as I said, at one point I thought that 
this might
be a "all or nothing" which the documentation failes to mention. 
Fortunately this
is not the case, works as advertised.

>> The highest uid in use on the BSD is for the 'nobody' user (65534). It
>> might be a while before the AD user/group count gets to that, but I
>> wanted to play it safe here and started beyond that. 
>> msSFU30MaxUidNumber
>> and msSFU30MaxGidNumber are set accordingly.
> Yes, I noticed that about 'nobody' (there was probably a reason for
> this) so my adduser script jumps around 65534.

But tools like ADUC don't respect that (?) I plan to delegate some of 
the user/group
administration. The delegees will most likely use the MS tools.

>>> I think your problem is that you have given your users/groups
>>> numbers that are outside the ranges you have set in AD.
>> No, it's not. (Since it works on Ubuntu now.)
> Well it was just a thought, I know I had problems when I first started
> using winbind, I could only get the RID backend to work, until it just
> seemed to click and now I have no problems. :-)

Seems like history repeats itself once more :D


More information about the samba mailing list