samba - May 2010 - Getent passwd and getent group fail / Samba 3.5.2

Hi all,

I just stepped over a problem where I can't add a local user to an AD group.
Running getent passwd and getent group doesn't display the AD users. Wbinfo
-g and -u work fine. Here is my smb.conf:

[global]
        netbios name = sles11test1
        realm = SOMEDOMAIN.NET
        workgroup = SOMEDOMAIN
        security = ADS
        encrypt passwords = yes
        password server = someserver.somedomain.net
        idmap backend = ad
        idmap config SOMEDOMAIN : backend = ad
        idmap config SOMEDOMAIN : schema_mode = sfu
        idmap config SOMEDOMAIN : range = 0-99999999
        winbind nss info = sfu
        winbind enum users = yes
        winbind enum groups = yes
        winbind offline logon = yes
        preferred master = no
        winbind nested groups = Yes
        winbind use default domain = Yes
        max log size = 50
        log file = /var/log/samba/log.%m
        log level = 3
        dns proxy = no
        wins server = 172.20.200.18 172.18.200.20
        allow trusted domains = No
        client use spnego = Yes
        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab
        winbind refresh tickets = true
        idmap cache time = 1
        idmap negative cache time = 1
        winbind cache time = 1

In the log I get this error when running getent group:

tail -f /var/log/samba/log.winbindd-idmap
  Could not get unix ID
[2010/05/04 10:15:29.444783,  1]
winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids)
  Could not get unix ID

Getent group and passwd works fine e.g. on an old ubuntu install with samba
3.3.2.

So far I have this problem on SLES9 and SLES11.

Oliver Weinmann
Unix and Storage Administrator

VEGA Deutschland GmbH & Co. KG
Europaplatz 5
64293 Darmstadt
Germany
Tel	: +49 (0)6151 8257-0
Fax	: +49 (0)6151 8257-799
Email	: oliver.weinmann at vega.de
Web	: www.vega.de



Registered office/Sitz: K?ln, Register court/Registergericht: K?ln, HRA 19223;
Fully Liable Partner/Pers?nlich haftende Gesellschafterin: VEGA Deutschland
Management GmbH, Registered office/Sitz: K?ln, Register court/Registergericht:
K?ln, HRB 43189; Managing Directors/Gesch?ftsf?hrer: Kurosch Balali, Sigmar
Keller, John Lewis, Manfred M?ller

Notice of Confidentiality

This transmission is intended for the named addressee only. It contains
information which may be confidential and which may also be privileged.  Unless
you are the named addressee (or authorised to receive it for the addressee) you
may not copy or use it, or disclose it to anyone else.  If you have received
this transmission in error please notify the sender immediately.

On 5/4/2010 4:20 AM, Oliver Weinmann had this to say:
> Hi all,
>
> I just stepped over a problem where I can't add a local user to an AD
group. Running getent passwd and getent group doesn't display the AD users.
Wbinfo -g and -u work fine. Here is my smb.conf:
<snip>
> In the log I get this error when running getent group:
>
> tail -f /var/log/samba/log.winbindd-idmap
>    Could not get unix ID
> [2010/05/04 10:15:29.444783,  1]
winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids)
>    Could not get unix ID
Doesn't that indicate that Samba thinks the SFU extensions aren't 
installed? What is the version of AD? Is it 2003 R2, or 2003 with SFU 
installed?

-- 
Michael J. Leone, <mailto:turgon at mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

USER ERROR: replace user and press any key to continue.

Im really totally lost about this problem. I tried a lot of things in
smb.conf but it just doesn't work. I mean it is working fine on 3.3.2 so
I don't think this is a problem in AD. It must be something that has
changed in the config of 3.5.2

-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of Oliver Weinmann
Sent: Dienstag, 4. Mai 2010 10:21
To: samba at lists.samba.org
Subject: [Samba] Getent passwd and getent group fail / Samba 3.5.2

Hi all,

I just stepped over a problem where I can't add a local user to an AD
group. Running getent passwd and getent group doesn't display the AD
users. Wbinfo -g and -u work fine. Here is my smb.conf:

[global]
        netbios name = sles11test1
        realm = SOMEDOMAIN.NET
        workgroup = SOMEDOMAIN
        security = ADS
        encrypt passwords = yes
        password server = someserver.somedomain.net
        idmap backend = ad
        idmap config SOMEDOMAIN : backend = ad
        idmap config SOMEDOMAIN : schema_mode = sfu
        idmap config SOMEDOMAIN : range = 0-99999999
        winbind nss info = sfu
        winbind enum users = yes
        winbind enum groups = yes
        winbind offline logon = yes
        preferred master = no
        winbind nested groups = Yes
        winbind use default domain = Yes
        max log size = 50
        log file = /var/log/samba/log.%m
        log level = 3
        dns proxy = no
        wins server = 172.20.200.18 172.18.200.20
        allow trusted domains = No
        client use spnego = Yes
        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab
        winbind refresh tickets = true
        idmap cache time = 1
        idmap negative cache time = 1
        winbind cache time = 1

In the log I get this error when running getent group:

tail -f /var/log/samba/log.winbindd-idmap
  Could not get unix ID
[2010/05/04 10:15:29.444783,  1]
winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids)
  Could not get unix ID

Getent group and passwd works fine e.g. on an old ubuntu install with
samba 3.3.2.

So far I have this problem on SLES9 and SLES11.