[Samba] domain member idmap wbinfo WBC_ERR_DOMAIN_NOT_FOUND

Tom Robinson tom.robinson at motec.com.au
Mon Jul 10 04:17:42 UTC 2017 

Hi,

I've done a classic upgrade to from samba 3.6.23 to samba 4.6.5 bringing across all the user
accounts. The samba 3.6.23 we set up with smbldap as an NT Domain with OpenLDAP. After a lot of
effort the classic upgrade worked well but now I'm a bit stuck with idmapping.

The new AD DC is running 4.6.5 on CentOS7 and I can connect using ADUC. I set up a separate AD DM on
a another CentOS7 install but mapping id's is confusing me.

All the users and groups brought across have 'UNIX Attributes' assigned when I check in ADUC.
BUILTINs and other 'Well Known' SIDS don't.

Part of my issue may stem from the fact that the original samba 3.6 POSIX UIDs/GIDs were all low
numbers (starting at around 500 and up). The accounts are legacy upon legacy, originally coming from
/etc/{passwd,group} files that were manually sync'ed from host to host to host a long time ago
(before my time) then brought into samba 3.6.23/OpenLDAP and now samba 4.6.5. Are these low numbered
UIDs an issue?

On the DM I am getting an error: WBC_ERR_DOMAIN_NOT_FOUND when using wbinfo. This is very similar to
thread:

https://lists.samba.org/archive/samba/2015-November/195991.html

On the DC:

# wbinfo -u
MY.DOM\administrator
MY.DOM\auser
MY.DOM\user2
MY.DOM\user3
...

# wbinfo -n auser
S-1-5-21-2252255531-4061614174-2474224977-2184 SID_USER (1)

# wbinfo -i auser
MY.DOM\auser:*:592:100::/home/MY.DOM/auser:/bin/false

On the DM:

# wbinfo -u
MY.DOM\administrator
MY.DOM\auser
MY.DOM\user2
MY.DOM\user3
...

# wbinfo -n auser
S-1-5-21-2252255531-4061614174-2474224977-2184 SID_USER (1)

# wbinfo -i auser
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user auser

BUT still on the DM:

# wbinfo -i MY.DOM\\auser
MY.DOM\auser:*:592:513:Adam User:/home/MY.DOM/auser:/bin/false

# getent passwd auser

(returns with $?=2, no output)

here's my DM config files:

/etc/samba/smb.conf

[global]
        security = ADS
        workgroup = MY.DOM
        realm = DOM.MOTEC.COM.AU

        log level = 1 winbind:1 idmap:1

        idmap config * : backend = tdb
        idmap config * : range = 3000000-3999999
        idmap config MY.DOM : backend = ad
        idmap config MY.DOM : schema_mode = rfc2307
        idmap config MY.DOM : range = 500-10000
        idmap config MY.DOM : unix_nss_info = yes

# grep winbind /etc/nsswitch.conf
passwd:     files winbind sss
group:      files winbind sss

Any help is appreciated.

Kind regards,
Tom

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051   
E: tom.robinson at motec.com.au


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20170710/bea7f8db/signature.sig>

More information about the samba mailing list