samba - Jul 2012 - Can't get idmap connected to AD unix attribs

Hi,

I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and Winbind to
map userids and groups to the unix attributes in an AD 2008 server. I can see
that when I perform an ldapsearch, I'm able to read the attributes, and for
one of my accounts, the id should be 1001. However, when I run 'wbinfo -i
<username>', I get back something like 920.

At one point, I was setting the idmap range to start at 900, but I've since
removed that from my config, and restarted winbindd and smbd. I've also
tried to 'net cache flush'.

I also see wbinfo -i <someuser> usually returns:
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user <someuser>

The relevant parts of my smb.conf are below. I've tried patching this
together from various tuts and help pages. Any guidance would be very helpful.

thanks!
-Nick

[global]
   workgroup = CORP
   security = ADS
   password server = 192.168.77.251
   realm = CORP.MYCOMPANY.COM
   allow trusted domains = yes
   winbind use default domain = yes
   winbind nested groups = YES
   idmap config CORP : backend = tdb
   idmap config CORP : default = yes
   idmap config CORP : schema_mode = rfc2307
   idmap config CORP : range = 1000 - 9999
   idmap config * : backend = tdb
   encrypt passwords = true
   obey pam restrictions = yes
   client use spnego = yes
   client ntlmv2 auth = yes
   encrypt passwords = true
   restrict anonymous = 2
   unix password sync = yes
   winbind enum groups = yes
   winbind enum users = yes
   winbind nss info = rfc2307

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nick,

I think what you may be looking for is the ad backend:

https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html

Since you are using tdb in your config, it is using a local database
and allocates UID/GIDs on the fly...first come, first served.  So a
user may not get the same UID from one machine to the next.

Robert

On 07/10/2012 12:20 AM, Nick Triantos wrote:
> Hi,
> 
> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and
> Winbind to map userids and groups to the unix attributes in an AD
> 2008 server. I can see that when I perform an ldapsearch, I'm able
> to read the attributes, and for one of my accounts, the id should
> be 1001. However, when I run 'wbinfo -i <username>', I get
back
> something like 920.
> 
> At one point, I was setting the idmap range to start at 900, but
> I've since removed that from my config, and restarted winbindd and
> smbd. I've also tried to 'net cache flush'.
> 
> I also see wbinfo -i <someuser> usually returns: failed to call
> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user
> <someuser>
> 
> The relevant parts of my smb.conf are below. I've tried patching
> this together from various tuts and help pages. Any guidance would
> be very helpful.
> 
> thanks! -Nick
> 
> [global] workgroup = CORP security = ADS password server >
192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains > yes winbind
use default domain = yes winbind nested groups = YES
> idmap config CORP : backend = tdb idmap config CORP : default > yes
idmap config CORP : schema_mode = rfc2307 idmap config CORP :
> range = 1000 - 9999 idmap config * : backend = tdb encrypt
> passwords = true obey pam restrictions = yes client use spnego > yes
client ntlmv2 auth = yes encrypt passwords = true restrict
> anonymous = 2 unix password sync = yes winbind enum groups = yes 
> winbind enum users = yes winbind nss info = rfc2307
> 
> 

- -- 
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ
AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y
=yLz3
-----END PGP SIGNATURE-----

Thanks Robert.

I've tried switching over to the AD back-end (which does sound like what I
want), but I still receive only the errors:
   failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

I restarted both winbind and smbd after changing the config. Is there some cache
I have to flush, or some other config that needs to be changed beyond the
settings in smb.conf?

thanks again!
-Nick

My updated smb.conf:

   workgroup = CORP
   security = ADS
   #password server = 192.168.77.251
   realm = CORP.MYCOMPANY.COM
   allow trusted domains = yes
   winbind use default domain = yes
   winbind nested groups = YES
   idmap config CORP : backend = ad
   idmap config CORP : default = yes
   idmap config CORP : schema_mode = rfc2307
   idmap config CORP : range = 800 - 99999


On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Nick,
> 
> I think what you may be looking for is the ad backend:
> 
> https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
> 
> Since you are using tdb in your config, it is using a local database
> and allocates UID/GIDs on the fly...first come, first served.  So a
> user may not get the same UID from one machine to the next.
> 
> Robert
> 
> On 07/10/2012 12:20 AM, Nick Triantos wrote:
>> Hi,
>> 
>> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and 
>> Winbind to map userids and groups to the unix attributes in an AD 
>> 2008 server. I can see that when I perform an ldapsearch, I'm able 
>> to read the attributes, and for one of my accounts, the id should 
>> be 1001. However, when I run 'wbinfo -i <username>', I
get back
>> something like 920.
>> 
>> At one point, I was setting the idmap range to start at 900, but 
>> I've since removed that from my config, and restarted winbindd and 
>> smbd. I've also tried to 'net cache flush'.
>> 
>> I also see wbinfo -i <someuser> usually returns: failed to call 
>> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user 
>> <someuser>
>> 
>> The relevant parts of my smb.conf are below. I've tried patching 
>> this together from various tuts and help pages. Any guidance would 
>> be very helpful.
>> 
>> thanks! -Nick
>> 
>> [global] workgroup = CORP security = ADS password server = 
>> 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = 
>> yes winbind use default domain = yes winbind nested groups = YES 
>> idmap config CORP : backend = tdb idmap config CORP : default = yes
>> idmap config CORP : schema_mode = rfc2307 idmap config CORP : range
>> = 1000 - 9999 idmap config * : backend = tdb encrypt passwords >>
true obey pam restrictions = yes client use spnego = yes client
>> ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2
>> unix password sync = yes winbind enum groups = yes winbind enum
>> users = yes winbind nss info = rfc2307
>> 
>> 
> 
> 
> - - --
> ________
> 
> Robert Freeman-Day
> 
> https://launchpad.net/~presgas
> GPG Public Key:
>
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
> 
> 
> - -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ
> AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y
> =yLz3
> - -----END PGP SIGNATURE-----
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+
> 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb
> =eagU
> -----END PGP SIGNATURE-----