[Samba] Member server does not show users from trusted domain

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Nov 14 17:09:46 UTC 2016

I have a samba classic domain, called it "DomainA."      All domain 
controllers and servers are running 3.6.25 on Solaris 11.

The PDC and BDC use an LDAP backend for unix, samba and idmap 
data.       Member servers use LDAP backend for unix accounts, so the 
underlying unix and group accounts are consistent.

There is a trust relationship with Windows 2008 AD domain ("DomainB.")

On the member servers, "wbinfo -u" and "wbinfo -g" only shows members 
from servers' own domain (DomainA.)

The wbinfo command does indicate that domains are trusted.

        root at member1# wbinfo -m
        root at member1# wbinfo -D DOMAINB
        Name              : DOMAINB
        Alt_Name          : domainb.mydomain.com
        SID               : S-1-5-21-xxxxxxxxxxxxxxx
        Active Directory  : Yes
        Native            : Yes
        Primary           : No
        root at member1#

Although I am assuming that wbinfo is merely querying the domainA PDC or 
BDC.  The PDC is also the WINS server.

I have trying to configure idmapping for domainB on the member servers, 
using an LDAP backend, to keep the idmapping consistent across all 
servers.     However, I figure idmapping won't come into play if winbind 
is not even seeing the domainB users.    I am actually unclear if the 
member server is supposed to contact its own domain controller for 
trusted account information or if it is supposed to contact the trusted 
domain (domainB) AD controller.

The nmblookup command indicates WINS resolution is working correctly.

        root at member1# nmblookup -U name_of_wins_server  -R 'DOMAINB#1C'
        answers: nmb_name=DOMAINB<1c> rr_type=32 rr_class=1 ttl=216591
        answers 0 char ...... hex E000C0A8031A
        Got a positive name query response from ...
        ip_of_DomainB_AD   DomainB<1c>
        root at member1#

The log.wb-DOMAINB log shows the server locating the domain controller 
for the trusted domain.

        root at member1#testparm -v | grep winbind
        Server role: ROLE_DOMAIN_MEMBER
        Press enter to see a dump of your service definitions

                 winbind separator = \
                 winbind cache time = 300
                 winbind reconnect delay = 30
                 winbind max clients = 200
                 winbind enum users = Yes
                 winbind enum groups = Yes
                 winbind use default domain = No
                 winbind trusted domains only = No
                 winbind nested groups = Yes
                 winbind expand groups = 1
                 winbind nss info = template
                 winbind refresh tickets = No
                 winbind offline logon = No
                 winbind normalize names = No
                 winbind rpc only = No
                 winbind max domain connections = 1

        root at member1#

The IDMAP entry  in smb.conf is as follows

        idmap config DOMAINB:backend = ldap
        # idmap config DOMAINB:readonly = no
        idmap config DOMAINB:readonly = yes
        idmap config DOMAINB:default=no
        idmap config DOMAINB:ldap_base_dn = ou=domainb,ou=idmap,o=ssci.com
        idmap config DOMAINB:ldap_user_dn = cn=SomeLDAPAdminUser
        idmap config DOMAINB:ldap_url = ldap://pdc.mydomain.com
        idmap config DOMAINB:range = 30000-39999
        #is following legit?
        idmap config DOMAINB:suffix=ou=domainb,ou=idmap

Idmapping is required so that "getent passwd" and "getent group" can 
list windows users.  But even if idmapping is not setup correctly, I 
should still see trusted users with "wbinfo -u" and "wbinfo -g."

Appreciate any feedback


More information about the samba mailing list