Erwin Fritz
2004-Apr-20 22:00 UTC
[Samba] Winbindd can't load Idmap OU with SID-uid mappings
I'm running Samba 3.0.2a on Solaris 9. My shop also runs Active Directory on W2K (SP4). In an attempt to build a single sign-on solution, I thought I'd get Samba to allow Windows 2000 users to telnet/rlogin/ftp to my UNIX boxes without requiring those users to have a UNIX account. The Samba dox claim this is possible, because winbindd will map the AD account SID to a UNIX userid, and will store that mapping in the winbindd_idmap.tdb file. This works just fine. AD users can map drives and can connect to the UNIX box through telnet, rlogin, or ftp. They do not need a UNIX account. Problem solved? Not quite. I have many UNIX boxes, and because the Samba shares are NFS-mounted to these boxes, I have to ensure that the SID-uid mapping is consistent across all machines. Samba will do this by keeping the mapping in an OU created in the AD tree. I created that OU, and called it Idmap. For the life of me, though, I can't get Samba to store the mapping in the OU. It continues to store it in the winbindd_idmap file. My Solaris box is running Solaris 9, with patch 113476-13, MIT Kerberos 1.3.1, and OpenLDAP 2.2.5 (because Samba needs the LDAP stuff to compile). Samba was configured with these options: ./configure --prefix=/opt/samba \ --with-syslog \ --with-utmp \ --with-codepagedir=/var/samba/code \ --with-configdir=/var/samba/conf \ --with-lockdir=/var/samba/lock \ --with-privatedir=/var/samba/private \ --with-swatdir=/var/samba/swat \ --with-logfilebase=/var/samba/log \ --datadir=/var/samba/share \ --localstatedir=/var/samba/var \ --sharedstatedir=/var/samba/com \ --sysconfdir=/var/samba/etc \ --with-acl-support \ --with-krb5=/opt/kerberos \ --with-winbind \ --with-ldap \ --with-ldapsam The global portion of my smb.conf is: [global] workgroup = AD_DOMAIN realm = INTERNAL_DOMAIN.COM server string = Test server security = ADS password server = ad1.internal_domain.com ad2.internal_domain.com lanman auth = No ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log level = 2 disable netbios = Yes name resolve order = host load printers = No os level = 0 lm announce = No preferred master = No local master = No domain master = No dns proxy = No ldap suffix = dc=internal_domain,dc=com ldap idmap suffix = ou=Idmap,dc=internal_domain,dc=com ldap admin dn = cn=Administrator,ou=Users,dc=internal_domain,dc=com ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/ksh winbind separator = + hosts allow = 198.161.66., 192.168.100. wide links = No I know the problem isn't with pam.conf or nsswitch.conf, since my AD users can connect to the Solaris box without any problems. When I try to connect, I get this error message on the Samba server: 'failed to bind to server with dn= cn=Administrator,ou=Users,dc=internal_domain,dc=com Error: Can't contact LDAP server' Well, I know the LDAP server works. Running both 'wbinfo -u' and 'getent passwd' shows the AD accounts. Am I missing something obvious here? Erwin Fritz Network Administrator Gilbert Laustsen Jung Associates Ltd.
Seemingly Similar Threads
- idmap uid range 10000-20000: pam_winbind does NOT wor k ?
- tdb idmap returns different GID's for the same SID from time to time
- idmap + ldap + nsswitch +winbindd
- winbindd reporting wrong sid, but only sometimes on samba 3.0.23
- "net idmap dump" and "wbinfo" shows different GIDs for same SID