Eric Gottesman
2007-Dec-04 22:37 UTC
[Samba] winbind users not getting groups. idmap backend problem?
yo. i have a vmware VI3 machine (which is effectively FC3 for our intents and purposes) i'm trying to get to authenticate with our active directory domain. it's -mostly- working- i can log in as my domain user successfully, getent passwd and group work, wbinfo -u and -g work, however wbinfo -t fails and if i type 'groups <domainuser>', i get this: id: cannot find name for group ID 10005 id: cannot find name for group ID 10006 id: cannot find name for group ID 10008 id: cannot find name for group ID 10009 id: cannot find name for group ID 10016 /var/log/samba.winbindd has a bunch of errors like this: [2007/12/04 14:22:05, 1] nsswitch/winbindd_cm.c:cm_open_connection(333) failed tcon_X with NT_STATUS_ACCESS_DENIED [2007/12/04 14:22:05, 1] nsswitch/winbindd_cm.c:cm_open_connection(333) failed tcon_X with NT_STATUS_ACCESS_DENIED [2007/12/04 14:22:05, 1] nsswitch/winbindd_cm.c:cm_open_connection(333) failed tcon_X with NT_STATUS_ACCESS_DENIED [2007/12/04 14:22:05, 1] nsswitch/winbindd_group.c:winbindd_getgrgid(381) could not lookup sid here's my smb.conf: [global] workgroup = OURWORKGROUP netbios name = hostname server string = Linux workstation 1 security = ADS log file = /var/log/samba/samba.%m max log size = 50 local master = no preferred master = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /home/%U template shell = /bin/bash encrypt passwords = yes dns proxy = no realm = REALM.COMPANY.COM password server = servername.company.com wins proxy = no allow trusted domains = no i vaguely suspect that i need something like this: idmap backend = idmap_rid:REALM.COMPANY.COM=10000-20000 ...but if i put that in, winbind completely stops working and i can't do anything. thoughts?
Chris Jeter
2007-Dec-05 17:18 UTC
[Samba] winbind users not getting groups. idmap backend problem?
> [global] > workgroup = OURWORKGROUP > netbios name = hostname > server string = Linux workstation 1 > security = ADS > log file = /var/log/samba/samba.%m > max log size = 50 > local master = no > preferred master = no > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > template homedir = /home/%U > template shell = /bin/bash > encrypt passwords = yes > dns proxy = no > realm = REALM.COMPANY.COM > password server = servername.company.com > wins proxy = no > allow trusted domains = no > > > > i vaguely suspect that i need something like this: > > idmap backend = idmap_rid:REALM.COMPANY.COM=10000-20000 > > ...but if i put that in, winbind completely stops working and i can't > do anything. thoughts?Here is my Global section of our smb conf. This is running in the same envirment as yours. Our host OS is FC7 and our samba version is Version 3.0.26a-6.fc7 security = ads netbios name = hostname realm = ADDOMAIN.domain password server = ADDOMAIN.domain workgroup = ADDOMAIN idmap uid = 500-10000000 idmap gid = 500-10000000 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes preserve case=yes short preserve case=yes case sensitive=no template homedir = /home/shares/%D/%U template shell = /bin/bash client use spnego = yes domain master = no encrypt passwords = yes I'm not setting the idmap backend option and have no problems. I've also read a couple of places that the server string option needs to be set to your FQDN, mine is not though and it's still working. Also make sure you are syncing your time between your AD and your samba box. You will see a time drift issue if you aren't running vmtools and syncing to your esx server or some form of ntp. Your kerberos tickets will start expiring. -- -------------------- Chris Jeter Senior IT Technician The World Company 785.312.6911 --------------------