[Samba] "samba-tool user add" and idmap shenanigans
rpenny at samba.org
Mon Feb 1 09:20:18 UTC 2016
On 01/02/16 02:52, Stuart Longland wrote:
> Hi all,
> We're in the process of finally moving from our aging Samba3-based
> infrastructure across to Samba4.
> Rather than trying to migrate, we're just making a clean break so that
> we can do it properly from day one, as there were likely some mistakes
> that were made years ago we want to leave behind.
> The machines under test are virtual machines running Ubuntu 14.04 LTS
> AMD64. I've just did an `apt-get dist-upgrade` this morning.
> We've got an AD server going happily, with the relevant NIS extensions
> running and winbindd. All is good. I can create a user on the server,
> and it appears along with a UID.
>> root at bnedevdc0:~# samba-tool user add testuser2 --random-password
>> User 'testuser2' created successfully
>> root at bnedevdc0:~# wbinfo -i testuser2
> Other users work too:
>> root at bnedevdc0:~# wbinfo -i testuser
> Now, I move across to my member server and try to repeat the two
> `wbinfo` commands:
>> root at bnedevmail:~# wbinfo -i testuser
>> root at bnedevmail:~# wbinfo -i testuser2
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user testuser2
> I can do `id` and other commands with 'testuser' as if it were a local
> Unix account, but not with 'testuser2'.
> The only thing different about these, is when creating 'testuser', I
> explicitly provided --uid-number, setting it to 123456 as a test. It
> got stored in LDAP as uidNumber, which is fine.
> Somewhere, the AD server decided upon 300032 as the UID number for
> 'testuser2', however it forgot to write that into LDAP, and so the
> member server can't see it. I see reference to xidNumber in places too
> -- it didn't bother to write that to LDAP either.
> On the old server `smbldap-useradd` would take care of assigning unique
> user IDs, so I know Samba supports this feature.
> I've checked configuration files and logs, the only thing I see is in
> `winbindd` logs on the member server:
>> ==> /var/log/samba/log.winbindd <==
>> [2016/02/01 12:52:31.513489, 5] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>> Could not convert sid S-1-5-21-3300742366-236599213-516333450-7025: NT_STATUS_NONE_MAPPED
> Yet, it's clearly mapped when I try to do the same thing on the domain
> controller itself. Is there something that I'm missing?
Yes, The DCs and domain members work differently. On a DC, windows users
are mapped to Unix users in 'idmap.ldb', this is where you will find the
xidNumber attributes. On a domain member, the users are mapped via
winbind and there are several backends available, though only two are
really used, the 'ad' & 'rid' backends. If you use the 'ad' backend, you
will have to give all users, that you want to be visible to Unix, a
uidNumber attribute and Domain Users (at least) a gidNumber. If you use
the 'rid' backend, you do not have to add anything to AD, but you may
want to add the 'template' lines to smb.conf on the domain member (see
You may also want investigate using a later version of Samba, the
version available from ubuntu is old and in fact when Samba 4.4.0 comes
out (due start of March), the 4.1.x series will go EOL. You could use
the latest freely available Sernet version, this will get you 4.2.x, or
you could very easily compile Samba yourself, if you go down this path,
you can get the latest version.
More information about the samba