[Samba] WBC_ERR_DOMAIN_NOT_FOUND error with RFC2307

Rowland penny rpenny at samba.org
Mon Jul 8 18:32:15 UTC 2019

On 08/07/2019 19:03, Ryan via samba wrote:
>> 'idmap_rfc2307' got me thinking about the other rarely used backends and
>> I wonder if you could use 'idmap_script', see 'man idmap_script' for
>> (limited) info
>> Rowland
>> Hi Rowland,
> Indeed, I switched to using the idmap_script back end. For posterity (in
> case it could ever help you or others), I have included the simple script
> below. It correctly returns the UID and primary GID, which in our LDAP
> system is the same, so it gets returned as XID per the man page. Then, and
> this part I don't understand but I verified it in the idmap logs, somehow
> Samba/winbind becomes aware of the many other GIDs. It subsequently tries
> to map them back to SIDs (which fails, because there is no mapping, but
> it's cheap, so whatever).
> So a few follow-ups, and then I'll be out of your hair:
> 1. By what mechanism does Samba/winbind go from seeing the UID/GID of the
> user from the lookup to becoming aware of the other GIDs of the user? I am
> uncomfortable not knowing this, because it seems like it could break.
> 2. This mechanism *works*. Users can mount shares based on their UNIX group
> membership in the OpenLDAP server. *Thank you!* Now...is there any better
> way to do this? I love that such a hacky back-end exists, but is this what
> RFC 2307 is supposed to do, but it's truly broken code right now? It seems
> like looking people up by username in a separate LDAP directory after
> authenticating them with their Kerberos credentials against an AD server is
> quite a common use case (I know many people who do it with older versions
> of Samba that use the fallback mechanism; I wonder if you are going to get
> lots of questions about this as people transition to EL 7 or 8 with 6 going
> EOL).

Your setup is one that hasn't come up before and hopefully will not 
again ;-)

We have had situations where people have had an NT4-style PDC and linux 
fileservers and they have upgraded to AD without problem. You, for 
various reasons, could not, but have found a way around the problem. I 
would urge you to consider this as a reprieve and a breathing point, 
then find a better fix for your problem, it may be that this is done on 
a company basis rather than on a department basis.


More information about the samba mailing list