samba - Mar 2009 - idmap_ad not returning correct UID under 3.3.1

I'm testing winbind 3.3.1-1ubuntu1 (jaunty) and my user stored in AD
is consistently being returned with a UID of 1000, rather than 10031,
which is whats stored in LDAP/AD under uidNumber. If I install the
3.2.3-1ubuntu3.4 packages from intrepid, 'id bryanm' correctly returns
10031, but when upgrading back to 3.3.1-1ubuntu1, I get the wrong UID
again. I did an install from source as well and experience the same
conditions, but can't guarantee it was setup correctly since it was in
an error state.

I see some interesting errors about being unable to find domain '*'
which I'll attach to the end. Perhaps this is part of the new support
of idmap_ad for multiple domains? Has configuration changed and the
man pages not been updated perhaps, where one has to specify a domain
to use specifically due to this feature?
>From winbindd -i -s /etc/samba/smb.conf -d10 -n
3.3.1:
idmap_sid_to_uid: sid [S-1-5-21-1659249844-2332029812-1458590236-1419], domain =
''
Returning valid cache entry: key
IDMAP/SID2UID/S-1-5-21-1659249844-2332029812-1458590236-1419, value 1000,
timeout = Fri Mar 13 17:01:56 2009
idmap_cache_find_sid2uid found 1000
Returning positive cache entry

3.2.3:
idmap_sid_to_uid: sid = [S-1-5-21-1659249844-2332029812-1458590236-1419]
Returning valid cache entry: key
IDMAP/SID/S-1-5-21-1659249844-2332029812-1458590236-1419, value IDMAP/UID/10031,
timeout = Fri Mar  6 19:52:16 2009

current smb.conf (lots of tinkering):
[global]
security = ADS
workgroup = WM
realm = CORP.WIDEMILE.COM
server string = %h server (Samba %v)
idmap backend = ad
idmap config CORP.WIDEMILE.COM : schema_mode = rfc2307
idmap uid = 1000-20000
idmap gid = 1000-20000
winbind enum users = Yes
winbind enum groups = Yes
winbind nss info = sfu
winbind use default domain = Yes
winbind nested groups = Yes
template shell = /bin/bash
template homedir = /home/%U
allow trusted domains = No
domain master = no
ldap ssl = off

domain '*' errors:
ad_idmap_cached_connection: called for domain '*'
Cache entry with key = SAFJOIN/DOMAIN/* couldn't be found
Cache entry with key = SAF/DOMAIN/* couldn't be found
saf_fetch: failed to find server for "*" domain
ldap_server from saf cache: ''
find_domain_from_name_noinit did not find domain '*'
get_sorted_dc_list: attempting lookup for name * (sitename NULL) using
[lmhosts wins host bcast]
Cache entry with key = SAFJOIN/DOMAIN/* couldn't be found
Cache entry with key = SAF/DOMAIN/* couldn't be found
saf_fetch: failed to find server for "*" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up *#1c (sitename (null))
Cache entry with key = NBT/*#1C couldn't be found
no entry for *#1C found.
resolve_lmhosts: Attempting lmhosts lookup for name *<0x1c>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
resolve_wins: Attempting wins lookup for name *<0x1c>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: not appropriate for name type <0x1c>
name_resolve_bcast: Attempting broadcast lookup for name *<0x1c>

Hefty -d10 logs at: http://serenity.ninjr.org/~btm/winbind/

Two stumbling blocks here, the idmap cache, and the new configuration syntax.

On Fri, Mar 6, 2009 at 9:16 PM, Bryan McLellan <btm@loftninjas.org>
wrote:
> From winbindd -i -s /etc/samba/smb.conf -d10 -n
1) -n does not disable the idmap cache
2) I eventually found this data cached in /var/run/samba/gencache.tdb

Which I had to dig through the source to figure out. I would have
expected it in /var/cache/samba/winbindd_cache.tdb, or
/var/lib/samba/winbindd_idmap.tdb. I realized the FHS layout is likely
debian/ubuntu specific, but it was less than clear which file I should
be clearing.
> I see some interesting errors about being unable to find domain '*'
> which I'll attach to the end. Perhaps this is part of the new support
> of idmap_ad for multiple domains? Has configuration changed and the
> man pages not been updated perhaps, where one has to specify a domain
> to use specifically due to this feature?
Once I deleted the cache I got back to where I started from with the
user not being found. Which made the configuration easier to test by
deleting all the cache's and running winbindd -i -d10 -n and running
it through tee to parse the logs, like

rm /var/run/samba/gencache.tdb && winbindd -i -d10 -n -s
/etc/samba/smb.test.conf | tee /tmp/winbind.log

The 'idmap backend' section of smb.conf(5) makes the solution more
clear at this point. Don't use 'idmap backend' for ad any longer and
only use 'idmap config' commands.

[global]
security = ADS
server string = %h server (Samba %v)
workgroup = WM
realm = CORP.WIDEMILE.COM
idmap config WM : backend = ad
idmap config WM  : schema_mode = rfc2307
idmap config WM  : range = 1000-20000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
template shell = /bin/bash
template homedir = /home/%U
allow trusted domains = No