samba - Apr 2004 - Winbindd can't load Idmap OU with SID-uid mappings

I'm running Samba 3.0.2a on Solaris 9. My shop also runs Active Directory on
W2K (SP4). In an attempt to build a single sign-on solution, I thought I'd
get Samba to allow Windows 2000 users to telnet/rlogin/ftp to my UNIX boxes
without requiring those users to have a UNIX account.

The Samba dox claim this is possible, because winbindd will map the AD account
SID to a UNIX userid, and will store that mapping in the winbindd_idmap.tdb
file.

This works just fine. AD users can map drives and can connect to the UNIX box
through telnet, rlogin, or ftp. They do not need a UNIX account.

Problem solved? Not quite. I have many UNIX boxes, and because the Samba shares
are NFS-mounted to these boxes, I have to ensure that the SID-uid mapping is
consistent across all machines. Samba will do this by keeping the mapping in an
OU created in the AD tree. I created that OU, and called it Idmap.

For the life of me, though, I can't get Samba to store the mapping in the
OU. It continues to store it in the winbindd_idmap file.

My Solaris box is running Solaris 9, with patch 113476-13, MIT Kerberos 1.3.1,
and OpenLDAP 2.2.5 (because Samba needs the LDAP stuff to compile).

Samba was configured with these options:

  ./configure --prefix=/opt/samba		    \
	       --with-syslog			    \
	       --with-utmp			    \
	       --with-codepagedir=/var/samba/code   \
	       --with-configdir=/var/samba/conf     \
	       --with-lockdir=/var/samba/lock	    \
	       --with-privatedir=/var/samba/private \
	       --with-swatdir=/var/samba/swat	    \
	       --with-logfilebase=/var/samba/log    \
	       --datadir=/var/samba/share	    \
	       --localstatedir=/var/samba/var	    \
	       --sharedstatedir=/var/samba/com	    \
	       --sysconfdir=/var/samba/etc	    \
	       --with-acl-support		    \
	       --with-krb5=/opt/kerberos	    \
	       --with-winbind			    \
	       --with-ldap			    \
	       --with-ldapsam

The global portion of my smb.conf is:

[global]
        workgroup = AD_DOMAIN
        realm = INTERNAL_DOMAIN.COM
        server string = Test server
        security = ADS
        password server = ad1.internal_domain.com ad2.internal_domain.com
        lanman auth = No
        ntlm auth = No
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 2
        disable netbios = Yes
        name resolve order = host
        load printers = No
        os level = 0
        lm announce = No
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        ldap suffix = dc=internal_domain,dc=com
        ldap idmap suffix = ou=Idmap,dc=internal_domain,dc=com
        ldap admin dn = cn=Administrator,ou=Users,dc=internal_domain,dc=com
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/ksh
        winbind separator = +
        hosts allow = 198.161.66., 192.168.100.
        wide links = No

I know the problem isn't with pam.conf or nsswitch.conf, since my AD users
can connect to the Solaris box without any problems.

When I try to connect, I get this error message on the Samba server:

'failed to bind to server with dn=
cn=Administrator,ou=Users,dc=internal_domain,dc=com Error: Can't contact
LDAP server'

Well, I know the LDAP server works. Running both 'wbinfo -u' and
'getent passwd' shows the AD accounts.

Am I missing something obvious here? 

Erwin Fritz
Network Administrator
Gilbert Laustsen Jung Associates Ltd.