[Samba] winbind idmap_ad rfc2037 can't read UIdnumber

Rowland penny rpenny at samba.org
Mon Jul 4 18:09:30 UTC 2016 

On 04/07/16 18:35, Raphaƫl RIGNIER wrote:
> Hi samba team !
>
> I try to resolve for hours a problem I have with a Linux Host (Samba 
> 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 2012 
> R2. Forest level is 2003 R2.
>
> my smb.conf :
> [GLOBAL]
>         netbios name = CR-DEV-01
>         security = ADS
>         workgroup = ADDOMAIN
>         realm = ADDOMAIN.COM
>
>
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-9998
>
>         idmap config ADDOMAIN:backend = ad
>         idmap config ADDOMAIN:schema_mode = rfc2307
>         idmap config ADDOMAIN:range = 9999-999999
>
>         winbind nss info = rfc2307
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind use default domain = yes
>
> 9999 start range is "Domain's user" GidNumber. To have a default 
> primary group.
> Shared uid and gid starts with 10000.
>
> The test for groups :
> --------------
> # net ads search '(SamAccountName=info2)' samaccountname gidnumber  -P
> Got 1 replies
>
> sAMAccountName: info2
> gidNumber: 10002
> ------------------
> #  getent group info2
> info2:x:10002:
> ------------------
> All is OK
>
>
>
> For the User, it is not working as expected :
> -------------
> # net ads search '(SamAccountName=b.btstest)'  samaccountName uinumber 
> gidnumber gecos -P
> Got 1 replies
>
> sAMAccountName: b.btstest
> --------------------------------
> No uidnumber,gidnumber,gecos ?
>
> Same search with admin account :
> ------------------------
> net ads search '(SamAccountName=b.btstest)'  samaccountName uinumber 
> gidnumber gecos -U administrator
> Enter administrator's password:
> Got 1 replies
>
> sAMAccountName: b.btstest
> uidNumber: 13367
> gidNumber: 10002
> gecos: BTSTEST B
> ---------------
>
> -----
> #getent passwd b.btstest (no output)
> ------
> Winbind output
> ------
> getpwnam b.btstest
> Could not convert sid S-1-5-21-4272071638-3509717963-3151537417-7471: 
> NT_STATUS_NONE_MAPPED
> ----------
> This is the same for all mapped AD users (3042 users).
>
> Does Winbind makes queries on DCs with machine account ?
> Does that mean bad AD schema ?
>
> Strange behavior.
>
> Thanks for help.
>

What 'libpam-*' packages do you have installed ?

What have you got in /etc/nsswitch.conf

Rowland

More information about the samba mailing list