samba - Jul 2009 - editposix: winbind -u: Error looking up domain users

Hello list,

I'm trying this configuration:

http://wiki.samba.org/index.php/Ldapsam_Editposix


Everything works. I can add users, list users, delete users (and
groups) with "net rpc user..." I can join clients, etc.

*But* wbinfo -u  and -g gives:

zoolook@kvm-test-samba1:~$ wbinfo -u
Error looking up domain users
zoolook@kvm-test-samba1:~$ wbinfo -g
BUILTIN\administrators
BUILTIN\users


Is this normal behavior?


Many thanks in advance,
Norberto

PS: smb.conf just in case:

[global]
        workgroup = PRUEBA
        passdb backend = ldapsam
        domain logons = Yes
        os level = 65
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=admin,dc=prueba,dc=dominio
        ldap delete dn = Yes
        ldap group suffix = ou=groups
        ldap machine suffix = ou=computers
        ldap suffix = dc=prueba,dc=dominio
        ldap user suffix = ou=users
        idmap domains = DEFAULT
        idmap alloc backend = ldap
        idmap alloc config:range = 50000-500000
        idmap alloc config:ldap_url = ldap://localhost
        idmap alloc config:ldap_user_dn = cn=admin,dc=prueba,dc=dominio
        idmap alloc config:ldap_base_dn = ou=idmap,dc=prueba,dc=dominio
        idmap config DEFAULT:range = 50000-500000
        idmap config DEFAULT:ldap_url = ldap://localhost
        idmap config DEFAULT:ldap_user_dn = cn=admin,dc=prueba,dc=dominio
        idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=prueba,dc=dominio
        idmap config DEFAULT:default = yes
        idmap config DEFAULT:readonly = no
        idmap config DEFAULT:backend = ldap
        ldapsam:editposix = yes
        ldapsam:trusted = yes
        winbind use default domain = yes
        ea support = Yes
        map acl inherit = Yes
        hide unreadable = Yes
        map archive = No
        map readonly = no
        store dos attributes = Yes

On Wed, Jul 8, 2009 at 4:29 PM, Dale
Schroeder<dale@briannassaladdressing.com> wrote:
> Are you in a domain trust? ?Otherwise, for a single domain, pdc's
don't need
> winbind.
Nope. This is a PDC. But from the link I posted:

      "A running winbind daemon is required to use ldapsam:editposix
EVEN ON A SAMBA PDC."


Also. On this list someone told me that I "need windbind for ACL to
work correctly"


Oh BTW, "winbind enum users = yes" didn't do anything.



zoolook@kvm-test-samba1:/var/log/samba$ wbinfo -p
Ping to winbindd succeeded on fd 3

zoolook@kvm-test-samba1:/var/log/samba$ wbinfo -t
checking the trust secret via RPC calls succeeded

zoolook@kvm-test-samba1:/var/log/samba$ wbinfo -g
BUILTIN\administrators
BUILTIN\users

zoolook@kvm-test-samba1:/var/log/samba$ wbinfo -u
Error looking up domain users

zoolook@kvm-test-samba1:/var/log/samba$ testparm -s | grep winbind
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes

On Wed, Jul 8, 2009 at 5:11 PM, Dale
Schroeder<dale@briannassaladdressing.com> wrote:
> A question for you - the link does not mention nsswitch.conf.? Is it
> required to list both ldap and winbind
> for passwd and group?? For example,
> passwd: compat?? ldap?? winbind
> group: compat?? ldap?? winbind
I don't know. That's why I'm asking.

As I said, everything works except "wbinfo -u" and "wbinfo
-g". Maybe
it's normal with editposix, but I want to be sure.

> I would be curious to know the answer.
Me too :-)

> If you're using PAM, I assume that is configured for ldap and winbind
also.
Nope. I'm not using PAM as I don't authenticate users via PAM in this
machine.

However, I use LDAP in nss.



Thanks for your help.

Norberto

On Wed, Jul 8, 2009 at 6:38 PM, Dale
Schroeder<dale@briannassaladdressing.com> wrote:
> According to the creator, you do configure nss for both ldap and winbind.
> http://lists.samba.org/archive/samba-technical/2006-March/045787.html
Many thanks for the link but I tried that and nope: wbinfo -u still
can't list users.

Oh well. Maybe it works like this. Don't worry, this is only a test,
not a production box.


Best regards,
Norberto

On Wed, Jul 8, 2009 at 11:29 PM, Aaron Jambu<aaron@epits.com.au>
wrote:
> Just wondering why you are using winbind.
>
> When I use ldap to pull info from Active Directory I dont need to use
winbind.
>
please, read my first post