samba - Mar 2011 - idmap allocation does not work Samba 3.4.7 on FC11

I have setup a Samba 3.4.7 on Fedora Core 11 Linux (this is the samba
version installed with "yum update.")  This is a domain member server.
The
PDC is a Samba 3.4.9 on Solaris 10.

 

 

Winbind is running 

 

 

I am trying to get idmap allocation working.  The unix accounts for the
samba accounts are in LDAP, so they are actually consistent across all samba
machines.     The man pages indicated that if I set 

 

                winbind trusted domains only = no

 

in smb.conf, then  samba should just map windows names to the unix names.  I
do have trusts set up with other domains but those trusted domains can be
ignored on this server.  

 

However, the man pages also indicate than idmap_nss is  the new and
preferred way to handle this.  It should map the Windows users to the
existing unix users, and not have to allocate new uid's.

 

 

Therefore I added the following lines to my smb.conf

         idmap config MYDOMAIN : backend  = nss

         idmap config MYDOMAIN: range = 100-999999

 

(Unix UID's for network users start at 100.)     


"wbinfo -u" does show the domain users.  However, "getent
passwd" does not
show the domain users.  "idmap MYDOMAIN\\someuser"  also does not
return a
uid for the user.  /var/lib/samba/winbindd_idmap.tdb does not have any
entries for the domain users.

 

To try to make this even simpler I tried setting up really basic idmap with
tdb backend

 

                idmap backend = tdb

                idmap uid = 1000000-2000000

                idmap gid = 1000000-2000000

                idmap alloc backend = tdb

 

                idmap config MYDOMAIN: backend = tdb

                idmap config MYDOMAIN: range = 1000000-2000000

 

 

I realize that if this works with will allocate uid's for the domain users
that do not match the unix uid's-  but at least that would indicate that
uid's were being allocated by the idmap functionality.  But no luck.

 

I even tried manually allocating a uid-  the tdb file gets updated in the 

 

# wbinfo -n MYDOMAIN\\someuser

S-1-5-21-xxxx-xxxx-xxxx-1121User (1)

 

# wbinfo --allocate-uid

New uid: 1000001

 

wbinfo --set-uid-mapping=1000000,S-1-5-21-xxxx-xxxx-xxxx-1121

uid 1000001 now mapped to sid S-1-5-21- xxxx-xxxx-xxxx -1121

 

# wbinfo -U 1000001

S-1-5-21-xxxx-xxxx-xxxx-1121

# wbinfo -S S-1-5-21-xxxx-xxxx-xxxx-1121

1000001

 

 

 

# id MYDOMAIN\\someuser

id: MYDOMAIN\\someuser: No such user

 

#tdbdump /var/lib/samba/winbindd_idmap.tdb

.

key(12) = "UID 1000001\00"

data(46) = "S-1-5-21-xxxx-xxxx-xxxx-1121\00"

.

key(46) = "S-1-5-21-xxxx-xxxx-xxxx-1121\00"

data(12) = "UID 1000001\00"

..

 

 

 

So it seems that Samba (winbind?)  can NOT allocate unix id's to Windows
users

It also seems that if I manually create then Samba (Winbind?) can't read
them.

 

Help is appreciated.

 

Thanks