Hi,
We recently updated our domain to 2008R2 servers from 2000.
I know the services for unix changed from the proprietary setup in 2000
to rfc2307 compliant around 2003 R2
I've updated samba to 3.5.4 (apparently most earlier versions don't play
well with the changes in AD), and gotten things essentially working.
The problem is users created since the old 2000 servers have been retired.
Users with the old msSFU info in the schema work fine, users without
that info fail.
smb.conf:
[global]
workgroup = BLAH
realm = BLAH.NOWHERE.COM
password server = styx.blah.nowhere.com, aurora.blah.nowhere.com
security = ADS
netbios name = HECTOR
local master = No
domain master = No
idmap backend = tdb
idmap domains = BLAH
idmap config BLAH:backend = ad
idmap config BLAH:schema mode = rfc2307
idmap config BLAH:range = 1000-100000
inherit acls = Yes
map acl inherit = Yes
idmap uid = 1000 - 100000
idmap gid = 1000 - 100000
winbind separator = +
winbind nss info = rfc2307 template
winbind nested groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind enum users = No
winbind enum groups = No
winbind offline logon = true
template shell = /bin/bash
template homedir = /home/%U
I've tried both sfu and rfc2307, no difference. I've tried enum users
and groups both on and off, no difference.
For an example, if I do a wbinfo -i on one of the older accounts (with
both msSFU and rfc2307 info in the schema, confirmed by ldapsearch), I
get correct response, no problem. When I do a wginfo -i on a new
account, I get
[2011/04/15 18:52:44.737596, 1]
winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids)
Could not get unix ID
in the winbindd-idmap log
Oddly, on that same user I can't get wbinfo -i, if I do
wbinfo -n name
(SID)
wbinfo -S (SID)
it gives me the UID
Ideas?
Thanks
--
Jeremiah Coleman
Systems Administrator
C& C Technologies
337-735-3741
Extension 3421
jay.coleman at cctechnol.com
Found the answer, wanted to post it for other folks to find. Note
https://bugzilla.samba.org/show_bug.cgi?id=6322 that this is a known
little detail.
Basically, if the tdb range ands the ad range are non-exclusive, it
doesn't query the AD. Solution is to separate the ranges:
idmap backend = tdb
idmap uid = 100000-165000
idmap gid = 100000-165000
idmap config FOO:backend = ad
idmap config FOO:default = yes
idmap config FOO:schema mode = rfc2307
idmap config FOO:range = 1000-66000
Jay
On 04/15/2011 05:03 PM, Jay Coleman wrote:>
> Hi,
>
> We recently updated our domain to 2008R2 servers from 2000.
>
> I know the services for unix changed from the proprietary setup in
> 2000 to rfc2307 compliant around 2003 R2
>
> I've updated samba to 3.5.4 (apparently most earlier versions don't
> play well with the changes in AD), and gotten things essentially
> working. The problem is users created since the old 2000 servers have
> been retired.
>
> Users with the old msSFU info in the schema work fine, users without
> that info fail.
>
> smb.conf:
> [global]
>
> workgroup = BLAH
> realm = BLAH.NOWHERE.COM
> password server = styx.blah.nowhere.com, aurora.blah.nowhere.com
> security = ADS
> netbios name = HECTOR
> local master = No
> domain master = No
> idmap backend = tdb
> idmap domains = BLAH
> idmap config BLAH:backend = ad
> idmap config BLAH:schema mode = rfc2307
> idmap config BLAH:range = 1000-100000
> inherit acls = Yes
> map acl inherit = Yes
> idmap uid = 1000 - 100000
> idmap gid = 1000 - 100000
> winbind separator = +
> winbind nss info = rfc2307 template
> winbind nested groups = Yes
> winbind use default domain = Yes
> winbind refresh tickets = Yes
> winbind enum users = No
> winbind enum groups = No
> winbind offline logon = true
> template shell = /bin/bash
> template homedir = /home/%U
>
> I've tried both sfu and rfc2307, no difference. I've tried enum
users
> and groups both on and off, no difference.
>
> For an example, if I do a wbinfo -i on one of the older accounts (with
> both msSFU and rfc2307 info in the schema, confirmed by ldapsearch), I
> get correct response, no problem. When I do a wginfo -i on a new
> account, I get
> [2011/04/15 18:52:44.737596, 1]
> winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids)
> Could not get unix ID
> in the winbindd-idmap log
>
> Oddly, on that same user I can't get wbinfo -i, if I do
> wbinfo -n name
> (SID)
> wbinfo -S (SID)
> it gives me the UID
>
> Ideas?
>
> Thanks
>
--
Jeremiah Coleman
Systems Administrator
C& C Technologies
337-735-3741
Extension 3421
jay.coleman at cctechnol.com
Maybe Matching Threads
- Windows 7/Samba unable to log in via name, works by IP
- How to Join Mac OSX workstation as AD domain member
- windbind, 'template homedir', and macros
- Avoiding uid conflicts between rfc2307 user/groups and computers
- NIS extensions - only 3 of 55 entries present