samba - Apr 2008 - Samba in Active-Drirector environements with centralized sid to uid mapping

Hello list!

We have some problems while trying to integrate a group of linux-servers into
our Active Directory.
Our plan is, to connect these Machies via winbindto the AD.
Our usere should be able to login on these machines with their windows
credentials.
We want the AD to do the mapping between windows SID and linux UID/GID


For this purposes, we installed SFU 3.5 at our AD, and activated the UIDs for
all allowed users.
We successfully connected these machines (client0 up to client9) to the AD,
wbinfo -u and wbinfo -g lists all domain members and all domain groups.
We edited /etc/nsswitch.conf and enabled winbind

  passwd: files  winbind ldap
  group:  files  winbind ldap
  shadow: files  winbind ldap

Note: The ldap-entries are made previously, to enable a LDAP-logon, but we want
to replace the LDAP-logon with winbind/AD logon, to centralize the
user-managenent.

Now, the troubles begun.

Our problems are:
1) if i want to check the uid of a user, not all servers act identically
     eg. Id kreitz
        server0: uid=32821(kreitz) gid=32002 groups=32001,32005,32003,32002
            server1: uid=32821(kreitz) gid=32002 groups=32001,32002
            server2: uid=32821(kreitz) gid=32002 groups=32000,32001,32002
            ...
2) we tried to stop winbind, clear the winbind-cache /var/cache/idmap_cache.tdb
and restart winbind
      id: kreitz: No such user


I did not know, how to debug winbind, to find the problems in my configuration.

Here some Informations about my systems:

Linux: RHEL4
Samba: 3.0.25b-1.el4_6.4
Winbind: 3.0.25b-1.el4_6.4

My Configs (some)

/etc/samba/smb.conf
[global]
        workgroup = <SHORT-DOMAIN>  # anonymized
        netbios name = client0
        realm = <DOMAIN>        # anonymized
        idmap uid = 10000-640000
        idmap gid = 10000-640000
        idmap backend = ad
        winbind separator = +
        winbind use default domain = Yes
        security = ADS
        encrypt passwords = yes
        password server = <AD-Server> # anonymized
        client use spnego = yes
        winbind enum users = yes
        winbind enum groups = yes
        unix password sync = yes
        template shell = /bin/bash
        winbind nss info = sfu

/etc/nsswitch.conf
passwd: files  winbind ldap
group:  files  winbind ldap
shadow: files  winbind ldap

hosts:  files  dns
networks:       files  dns
services:       files  db
protocols:      files  db
rpc:    files  db
ethers: files  db
netmasks:       files
netgroup:       files
publickey:      files
bootparams:     files
automount:      ldap
aliases:        files

/etc/krb5.conf
[libdefaults]
        default_realm = <domain>
        clockskew = 300


[realms]
        <domain> = {
        kdc = <AD-Server>
}

[domain_realm]
        .<domain> = <DOMAIN>
        <domain> = <DOMAIN>

[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

[appdefaults]
        pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 0
        debug = false
}

Greetings

Christopher Kreitz