[Samba] "samba-tool user add" and idmap shenanigans

Stuart Longland stuartl at vrt.com.au
Mon Feb 1 02:52:52 UTC 2016

Hi all,

We're in the process of finally moving from our aging Samba3-based
infrastructure across to Samba4.

Rather than trying to migrate, we're just making a clean break so that
we can do it properly from day one, as there were likely some mistakes
that were made years ago we want to leave behind.

The machines under test are virtual machines running Ubuntu 14.04 LTS
AMD64.  I've just did an `apt-get dist-upgrade` this morning.

We've got an AD server going happily, with the relevant NIS extensions
running and winbindd.  All is good.  I can create a user on the server,
and it appears along with a UID.

> root at bnedevdc0:~# samba-tool user add testuser2 --random-password 
> User 'testuser2' created successfully
> root at bnedevdc0:~# wbinfo -i testuser2
> VRTAD\testuser2:*:3000032:10000::/home/VRTAD/testuser2:/bin/false

Other users work too:
> root at bnedevdc0:~# wbinfo -i testuser
> VRTAD\testuser:*:123456:10000::/home/VRTAD/testuser:/bin/false

Now, I move across to my member server and try to repeat the two
`wbinfo` commands:

> root at bnedevmail:~# wbinfo -i testuser
> testuser:*:123456:10000:testuser:/home/VRTAD/testuser:/bin/bash
> root at bnedevmail:~# wbinfo -i testuser2
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user testuser2

I can do `id` and other commands with 'testuser' as if it were a local
Unix account, but not with 'testuser2'.

The only thing different about these, is when creating 'testuser', I
explicitly provided --uid-number, setting it to 123456 as a test.  It
got stored in LDAP as uidNumber, which is fine.

Somewhere, the AD server decided upon 300032 as the UID number for
'testuser2', however it forgot to write that into LDAP, and so the
member server can't see it.  I see reference to xidNumber in places too
-- it didn't bother to write that to LDAP either.

On the old server `smbldap-useradd` would take care of assigning unique
user IDs, so I know Samba supports this feature.

I've checked configuration files and logs, the only thing I see is in
`winbindd` logs on the member server:

> ==> /var/log/samba/log.winbindd <==
> [2016/02/01 12:52:31.513489,  5] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>   Could not convert sid S-1-5-21-3300742366-236599213-516333450-7025: NT_STATUS_NONE_MAPPED

Yet, it's clearly mapped when I try to do the same thing on the domain
controller itself.  Is there something that I'm missing?

     _ ___             Stuart Longland - Systems Engineer
\  /|_) |                           T: +61 7 3535 9619
 \/ | \ |     38b Douglas Street    F: +61 7 3535 9699
   SYSTEMS    Milton QLD 4064       http://www.vrt.com.au

More information about the samba mailing list