[Samba] wbinfo -u does not listed trusted users, wbinfo -n works, idmap not working
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Dec 14 19:46:07 UTC 2016
On a samba 4.5.1 domain controllers (PDC and BDC), classic domain ,
LDAP is used as the backend for both user accounts AND for the idmapping
of trusted domains . Partial smb.conf below
workgroup = THISDOMAIN
security = user
passdb backend = ldapsam:ldap://xxxxxxxxxxxxxxxxx
idmap config * : backend = tdb
idmap config * : range = 5000-6000
idmap config THISDOMAIN : backend = nss
idmap config THISDOMAIN : range = 100-300
idmap config TRUSTEDDOMAIN:backend = ldap
idmap config TRUSTEDDOMAIN:readonly = no
idmap config TRUSTEDDOMAIN:default=no
idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=xxxxxxxxxx
idmap config TRUSTEDDOMAIN:ldap_user_dn = xxxxxxxxx
idmap config TRUSTEDDOMAIN:ldap_url = ldap://xxxxxxxxxxx
idmap config TRUSTEDDOMAIN:range = 30000-39999
On the 4.5.1 domain members I have tried TDB backend for trusted domains
idmapping ...
idmap config TRUSTEDDOMAIN : backend = tdb
idmap config TRUSTEDDOMAIN : range = 30000-39999
...and I have tried LDAP backend
idmap config TRUSTEDDOMAIN:backend = ldap
idmap config TRUSTEDDOMAIN:readonly = no
idmap config TRUSTEDDOMAIN:default=no
idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=xxxxxxxxxx
idmap config TRUSTEDDOMAIN:ldap_user_dn = xxxxxxxxx
idmap config TRUSTEDDOMAIN:ldap_url = ldap://xxxxxxxxxxx
idmap config TRUSTEDDOMAIN:range = 30000-39999
But idmap fails regardless on the domain members.
# /usr/local/samba/bin/wbinfo -n "THISDOMAIN\myname"
S-1-5-21-xxx-xxx-xxx-xxx SID_USER (1)
# /usr/local/samba/bin/wbinfo -i "THISDOMAIN\myname"
THISDOMAIN\myname:*:123:100:My Name :/home/THISDOMAIN/myname:/bin/false
# /usr/local/samba/bin/wbinfo -n "TRUSTEDUSER\someuser"
S-1-5-21-xxx-xxx-xxx-xxx SID_USER (1)
# /usr/local/samba/bin/wbinfo -i "TRUSTEDUSER\someuser"
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user TRUSTEDUSER\someuser
#
# /usr/local/samba/bin/wbinfo --allocate-uid
failed to call wbcAllocateUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not allocate a uid
#
I could never get idmapping for trusted domains working on member
servers with samba 3.6.x either.
It seems that wbinfo just doesn't like trusted domains.
I am presuming that I can only use idmap ad backend for my "own"
domain (if I were in an AD domain) and not for trusted domains. I also
suspect that idmap ldap backend is only valid on domain controllers.
Appreciate any help.
Thanks
On 12/13/16 09:51, Gaiseric Vandal wrote:
> Running a mix of samba versions (3.6.25 and 4.5.1) in two domains-
> one "classic" (with samba domain controllers) and one AD (with windows
> domain controllers.) The eventual goal is to drop the classic domain
> in favor of the AD domain. Also trying to move from samba 3.x to 4.x
> since Samba 3 is EOL'd.
>
>
> the "wbinfo -u" command will list users in the servers domain but not
> trusted domains. However the "wbinfo -n" comand (e.g. "wbinfo -n
> TRUSTEDDOMAIN\username") does return the user's SID, and "getent
> passwd" may be able to show the trusted user (depending on idmap config.)
>
>
> Typical winbind settings are
>
>
> # testparm -v | grep winbind
> ....
>
> winbind separator = \
> winbind cache time = 300
> winbind reconnect delay = 30
> winbind max clients = 200
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = No
> winbind trusted domains only = No
> winbind nested groups = Yes
> winbind expand groups = 1
> winbind nss info = template
> winbind refresh tickets = No
> winbind offline logon = No
> winbind normalize names = No
> winbind rpc only = No
> winbind max domain connections = 1
> #
>
> Changing "winbind use default domain" or "winbind trusted domains
> only" to yes will change the how the own domain users are displayed
> ("MYDOMAIN\username" vs "username")
>
>
> Logs show errors about winbind not being able to to connect to either
> the own or trusted domains when I restart the winbind svc. It seems
> like winbind has issues when it starts but then future "wbinfo -n"
> lookups do connect. "wbinfo -D TRUSTDOMAIN" works.
>
> I used to run just samba 3.6.25 in classic domain. Trusts with AD
> domains were fine uninstall the various BADLOCK related patches came
> out for windows. Samba 3.6.25 with backported badlock patches
> seemed to fix trusts issues with domains BUT broke windows client
> logins. I think I just need to get away from samba 3 (and
> classic domains) or I will continue to have issues with the latest
> versions of windows.
>
>
>
>
> thanks
>
>
>
>
>
More information about the samba
mailing list