Found the answer, wanted to post it for other folks to find. Note
https://bugzilla.samba.org/show_bug.cgi?id=6322 that this is a known
little detail.
Basically, if the tdb range ands the ad range are non-exclusive, it
doesn't query the AD. Solution is to separate the ranges:
idmap backend = tdb
idmap uid = 100000-165000
idmap gid = 100000-165000
idmap config FOO:backend = ad
idmap config FOO:default = yes
idmap config FOO:schema mode = rfc2307
idmap config FOO:range = 1000-66000
Jay
On 04/15/2011 05:03 PM, Jay Coleman wrote:>
> Hi,
>
> We recently updated our domain to 2008R2 servers from 2000.
>
> I know the services for unix changed from the proprietary setup in
> 2000 to rfc2307 compliant around 2003 R2
>
> I've updated samba to 3.5.4 (apparently most earlier versions don't
> play well with the changes in AD), and gotten things essentially
> working. The problem is users created since the old 2000 servers have
> been retired.
>
> Users with the old msSFU info in the schema work fine, users without
> that info fail.
>
> smb.conf:
> [global]
>
> workgroup = BLAH
> realm = BLAH.NOWHERE.COM
> password server = styx.blah.nowhere.com, aurora.blah.nowhere.com
> security = ADS
> netbios name = HECTOR
> local master = No
> domain master = No
> idmap backend = tdb
> idmap domains = BLAH
> idmap config BLAH:backend = ad
> idmap config BLAH:schema mode = rfc2307
> idmap config BLAH:range = 1000-100000
> inherit acls = Yes
> map acl inherit = Yes
> idmap uid = 1000 - 100000
> idmap gid = 1000 - 100000
> winbind separator = +
> winbind nss info = rfc2307 template
> winbind nested groups = Yes
> winbind use default domain = Yes
> winbind refresh tickets = Yes
> winbind enum users = No
> winbind enum groups = No
> winbind offline logon = true
> template shell = /bin/bash
> template homedir = /home/%U
>
> I've tried both sfu and rfc2307, no difference. I've tried enum
users
> and groups both on and off, no difference.
>
> For an example, if I do a wbinfo -i on one of the older accounts (with
> both msSFU and rfc2307 info in the schema, confirmed by ldapsearch), I
> get correct response, no problem. When I do a wginfo -i on a new
> account, I get
> [2011/04/15 18:52:44.737596, 1]
> winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids)
> Could not get unix ID
> in the winbindd-idmap log
>
> Oddly, on that same user I can't get wbinfo -i, if I do
> wbinfo -n name
> (SID)
> wbinfo -S (SID)
> it gives me the UID
>
> Ideas?
>
> Thanks
>
--
Jeremiah Coleman
Systems Administrator
C& C Technologies
337-735-3741
Extension 3421
jay.coleman at cctechnol.com