[Samba] wbinfo -u does not listed trusted users, wbinfo -n works, idmap not working

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Dec 14 19:46:07 UTC 2016 

On a samba 4.5.1 domain controllers (PDC and BDC), classic domain   , 
LDAP is used as the backend for both user accounts AND for the idmapping 
of trusted domains . Partial smb.conf below

    workgroup = THISDOMAIN
    security = user
    passdb backend = ldapsam:ldap://xxxxxxxxxxxxxxxxx

    idmap config * : backend  = tdb
    idmap config * : range =  5000-6000


    idmap config THISDOMAIN : backend  = nss
    idmap config THISDOMAIN : range = 100-300


    idmap config TRUSTEDDOMAIN:backend = ldap
    idmap config TRUSTEDDOMAIN:readonly = no
    idmap config TRUSTEDDOMAIN:default=no
    idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=xxxxxxxxxx
    idmap config TRUSTEDDOMAIN:ldap_user_dn = xxxxxxxxx
    idmap config TRUSTEDDOMAIN:ldap_url = ldap://xxxxxxxxxxx
    idmap config TRUSTEDDOMAIN:range = 30000-39999



On the 4.5.1 domain members I have tried TDB backend for trusted domains 
idmapping ...


    idmap config TRUSTEDDOMAIN : backend  = tdb
    idmap config TRUSTEDDOMAIN : range = 30000-39999




...and I have tried LDAP backend

    idmap config TRUSTEDDOMAIN:backend = ldap
    idmap config TRUSTEDDOMAIN:readonly = no
    idmap config TRUSTEDDOMAIN:default=no
    idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=xxxxxxxxxx
    idmap config TRUSTEDDOMAIN:ldap_user_dn = xxxxxxxxx
    idmap config TRUSTEDDOMAIN:ldap_url = ldap://xxxxxxxxxxx
    idmap config TRUSTEDDOMAIN:range = 30000-39999







But idmap fails regardless on the domain members.

      # /usr/local/samba/bin/wbinfo  -n "THISDOMAIN\myname"
    S-1-5-21-xxx-xxx-xxx-xxx SID_USER (1)

      # /usr/local/samba/bin/wbinfo  -i "THISDOMAIN\myname"
    THISDOMAIN\myname:*:123:100:My Name :/home/THISDOMAIN/myname:/bin/false


      # /usr/local/samba/bin/wbinfo  -n "TRUSTEDUSER\someuser"
    S-1-5-21-xxx-xxx-xxx-xxx SID_USER (1)

    # /usr/local/samba/bin/wbinfo  -i  "TRUSTEDUSER\someuser"
    failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
    Could not get info for user  TRUSTEDUSER\someuser
    #


      # /usr/local/samba/bin/wbinfo  --allocate-uid

    failed to call wbcAllocateUid: WBC_ERR_DOMAIN_NOT_FOUND
    Could not allocate a uid
      #



I could never get idmapping for trusted domains working on member 
servers with samba 3.6.x either.


It seems that wbinfo just doesn't like trusted domains.


I am presuming that I can only use idmap ad  backend  for my "own" 
domain (if I were in an AD domain) and not for trusted domains. I also 
suspect that idmap ldap backend is only valid on domain controllers.


Appreciate any help.

Thanks











On 12/13/16 09:51, Gaiseric Vandal wrote:
> Running a mix of samba versions (3.6.25 and 4.5.1)  in two domains-  
> one "classic" (with samba domain controllers) and one AD (with windows 
> domain controllers.)   The eventual goal is to drop the classic domain 
> in favor of the AD domain.   Also trying to move from samba 3.x to 4.x 
> since Samba 3 is EOL'd.
>
>
> the "wbinfo -u" command will list users in the servers domain but not 
> trusted domains.   However the "wbinfo -n" comand (e.g. "wbinfo -n 
> TRUSTEDDOMAIN\username") does return the user's SID, and "getent 
> passwd" may be able to show the trusted user (depending on idmap config.)
>
>
> Typical winbind settings are
>
>
>  # testparm -v | grep winbind
> ....
>
>         winbind separator = \
>         winbind cache time = 300
>         winbind reconnect delay = 30
>         winbind max clients = 200
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = No
>         winbind trusted domains only = No
>         winbind nested groups = Yes
>         winbind expand groups = 1
>         winbind nss info = template
>         winbind refresh tickets = No
>         winbind offline logon = No
>         winbind normalize names = No
>         winbind rpc only = No
>         winbind max domain connections = 1
> #
>
> Changing "winbind use default domain" or "winbind trusted domains 
> only" to yes will change the how the own domain users are displayed 
> ("MYDOMAIN\username" vs "username")
>
>
> Logs show errors about winbind not being able to to connect to either 
> the own or trusted domains when I restart the winbind svc.    It seems 
> like winbind has issues when it starts but then future "wbinfo -n" 
> lookups do connect.   "wbinfo -D TRUSTDOMAIN" works.
>
> I used to run just samba 3.6.25 in classic domain.  Trusts with AD 
> domains were fine uninstall the various BADLOCK related patches came 
> out for windows.    Samba 3.6.25 with backported badlock patches 
> seemed to fix trusts issues with domains BUT broke windows client 
> logins.       I think I just need to get away from samba 3 (and 
> classic domains) or I will continue to have issues with the latest 
> versions of windows.
>
>
>
>
> thanks
>
>
>
>
>

More information about the samba mailing list