[Samba] winbind idmap_ad rfc2037 can't read UIdnumber

Raphaƫl RIGNIER r.rignier at leschartreux.net
Mon Jul 4 17:35:46 UTC 2016


Hi samba team !

I try to resolve for hours a problem I have with a Linux Host (Samba 
4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 2012 
R2. Forest level is 2003 R2.

my smb.conf :
[GLOBAL]
         netbios name = CR-DEV-01
         security = ADS
         workgroup = ADDOMAIN
         realm = ADDOMAIN.COM


         idmap config *:backend = tdb
         idmap config *:range = 2000-9998

         idmap config ADDOMAIN:backend = ad
         idmap config ADDOMAIN:schema_mode = rfc2307
         idmap config ADDOMAIN:range = 9999-999999

         winbind nss info = rfc2307
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes

9999 start range is "Domain's user" GidNumber. To have a default primary 
group.
Shared uid and gid starts with 10000.

The test for groups :
--------------
# net ads search '(SamAccountName=info2)' samaccountname gidnumber  -P
Got 1 replies

sAMAccountName: info2
gidNumber: 10002
------------------
#  getent group info2
info2:x:10002:
------------------
All is OK



For the User, it is not working as expected :
-------------
# net ads search '(SamAccountName=b.btstest)'  samaccountName uinumber 
gidnumber gecos -P
Got 1 replies

sAMAccountName: b.btstest
--------------------------------
No uidnumber,gidnumber,gecos ?

Same search with admin account :
------------------------
net ads search '(SamAccountName=b.btstest)'  samaccountName uinumber 
gidnumber gecos -U administrator
Enter administrator's password:
Got 1 replies

sAMAccountName: b.btstest
uidNumber: 13367
gidNumber: 10002
gecos: BTSTEST B
---------------

-----
#getent passwd b.btstest (no output)
------
Winbind output
------
getpwnam b.btstest
Could not convert sid S-1-5-21-4272071638-3509717963-3151537417-7471: 
NT_STATUS_NONE_MAPPED
----------
This is the same for all mapped AD users (3042 users).

Does Winbind makes queries on DCs with machine account ?
Does that mean bad AD schema ?

Strange behavior.

Thanks for help.



More information about the samba mailing list