I'm running Samba 3.0.28a on a CentOS 3.9 box as a member of an AD
domain whose PDC is a W2k3 server (Standard x64 R2 SP2).
Using wbinfo -u and wbinfo -g I can see domain users and groups from
the CentOS box, but getent (passwd|group) fails to display them. The
nsswitch is setup correctly, as far as I can tell. When I tail -f the
samba log file during a getent query, I see that winbindd is having
problems mapping the sid to the uid or gid ("sid2uid returned an
error").
Furthermore, wbinfo -n can find the SID for a user or group, but it
can't preform the inverse mapping.
In the following example, 'deisner' and 'unixusers' are a domain
user
and group, respectively.
>From the CentOS box (with intentional SID obfuscation):
$ wbinfo -u |grep deisner
deisner
$ wbinfo -n deisner
S-1-5-21-**********6 User (1)
$ wbinfo -S S-1-5-21-**********6
Could not convert sid S-1-5-21-**********6 to uid
$ wbinfo -g |grep unixusers
unixusers
$ wbinfo -n unixusers
S-1-5-21-**********8 Domain Group (2)
$ wbinfo -Y S-1-5-21-**********8
Could not convert sid S-1-5-21-**********8 to gid
In the log file, I see this:
[2008/03/10 18:37:58, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
Retrieving response for pid 6274
[2008/03/10 18:37:58, 5]
nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
sid2gid returned an error
[2008/03/10 18:37:58, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
Could not convert sid S-1-5-21-*8
I'm using the SFU schema. In AD I have uids and gids assigned to the
user and group, in the Unix Attributes tab, with values in the range
I've specified for the idmap range. Here is my smb.conf:
[global]
workgroup = THEDOMAIN
server string = Centos Samba Server
hosts allow = xxx.y. xxx.y. 127. # obfuscated
printcap name = CUPS
load printers = yes
cups options = raw
log file = /usr/local/samba/var/log.smbd
security = ads
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
unix charset = LOCALE
netbios name = LDAP
realm = THEDOMAIN.FOO.ORG
use kerberos keytab = Yes
idmap domains = THEDOMAIN
idmap config THEDOMAIN:backend = ad
idmap config THEDOMAIN:default = yes
idmap config THEDOMAIN:schema_mode = sfu
idmap config THEDOMAIN:range = 10000 - 300000000
log level = 1
syslog = 0
winbind use default domain = yes
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/windows/%D/%U
template shell = /bin/bash
allow trusted domains = no
[homes]
comment = Home Directories
browseable = no
writable = yes
read only = No
valid users = %D\%U
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[voltest]
admin users = THEDOMAIN\administrator
comment = Volume Test
path = /home/voltest
public = no
writable = yes
store dos attributes = yes
nt acl support = yes
map acl inherit = yes
Running Wireshark on the W2k3 server, I can see the CentOS box making
the LsarLookupSids request and getting a response (though the content
is encrypted so I can't see the details).
Can anybody see anything obviously wrong? Does anybody have this working?
Thanks!
-David
David Eisner wrote:> I'm running Samba 3.0.28a on a CentOS 3.9 box as a member of an AD > domain whose PDC is a W2k3 server (Standard x64 R2 SP2). > > Using wbinfo -u and wbinfo -g I can see domain users and groups from > the CentOS box, but getent (passwd|group) fails to display them. The > nsswitch is setup correctly, as far as I can tell. When I tail -f the > samba log file during a getent query, I see that winbindd is having > problems mapping the sid to the uid or gid ("sid2uid returned an > error"). > > Furthermore, wbinfo -n can find the SID for a user or group, but it > can't preform the inverse mapping. > > In the following example, 'deisner' and 'unixusers' are a domain user > and group, respectively. > >>From the CentOS box (with intentional SID obfuscation): > > $ wbinfo -u |grep deisner > deisner > $ wbinfo -n deisner > S-1-5-21-**********6 User (1) > $ wbinfo -S S-1-5-21-**********6 > Could not convert sid S-1-5-21-**********6 to uid > $ wbinfo -g |grep unixusers > unixusers > $ wbinfo -n unixusers > S-1-5-21-**********8 Domain Group (2) > $ wbinfo -Y S-1-5-21-**********8 > Could not convert sid S-1-5-21-**********8 to gid > > In the log file, I see this: > [2008/03/10 18:37:58, 10] > nsswitch/winbindd_cache.c:cache_retrieve_response(2300) > Retrieving response for pid 6274 > [2008/03/10 18:37:58, 5] > nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527) > sid2gid returned an error > [2008/03/10 18:37:58, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254) > Could not convert sid S-1-5-21-*8 > > > I'm using the SFU schema. In AD I have uids and gids assigned to the > user and group, in the Unix Attributes tab, with values in the range > I've specified for the idmap range. Here is my smb.conf: > > > [global] > workgroup = THEDOMAIN > server string = Centos Samba Server > hosts allow = xxx.y. xxx.y. 127. # obfuscated > printcap name = CUPS > load printers = yes > cups options = raw > log file = /usr/local/samba/var/log.smbd > security = ads > encrypt passwords = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > dns proxy = no > unix charset = LOCALE > netbios name = LDAP > realm = THEDOMAIN.FOO.ORG > use kerberos keytab = Yes > idmap domains = THEDOMAIN > idmap config THEDOMAIN:backend = ad > idmap config THEDOMAIN:default = yes > idmap config THEDOMAIN:schema_mode = sfu > idmap config THEDOMAIN:range = 10000 - 300000000 > log level = 1 > syslog = 0 > winbind use default domain = yes > winbind nested groups = yes > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/windows/%D/%U > template shell = /bin/bash > allow trusted domains = noTry adding to global section: winbind nss info = sfu Right now you're defaulting to "template". Regards, Doug