samba - Aug 2014 - Winbind question

Hi,

I successfully set up an AD DC, and now, I want to join a file server as 
member in this domain.

I followed this tutorial : 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

All works fine, my server join my AD without problem, samba starts fine 
and winbind too. But when I look at my domain users, the uid/gid 
returned by winbind are in the TDB range instead of the AD range.....

This is my smb.conf :
[global]

    netbios name = filzen
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.FR
    encrypt passwords = yes

    log level = 10

    template homedir = /home/%U
    template shell = /bin/bash

    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes

    idmap config SAMDOM:backend = ad
    idmap config SAMDOM:range = 20001-70000
    idmap config SAMDOM:default = yes
    idmap config *:backend = tdb
    idmap config *:range = 70001-80000

If I type :
# wbinfo -i administrator

I get :
administrator:*:70001:70001::/home/administrator:/bin/bash

If I create a user (foo) and trying to obtain his informations :
# wbinfo -i foo

I get:
foo:*:70002:70001::/home/foo:/bin/bash

Why winbind doen't use AD range instead of TBD range ? And even if I 
must use TDB range is there a certainty that this uid/gid are the same 
over all members ?

Another clue : If I use SAMDOM:backend = rid the users receive a uid/gid 
in SAMDOM range and not in TDB range (maybe a bug in ad backend ?)

Thanks for any answers
Regards,
Bruno.

-- 

Bruno MACADRE
-------------------------------------------------------------------
  Ing?nieur Syst?mes et R?seau     | Systems and Network Engineer
  D?partement Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Universit? de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonn?es / Contact :
	Universit? de Rouen
	Facult? des Sciences et Techniques - Madrillet
	Avenue de l'Universit?
	CS 70012
	76801 St Etienne du Rouvray CEDEX
	FRANCE

	T?l : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------

I am having this EXACT same issue right now on a production domain. You 
need to check your winbind idmap log. On my systems this is 
"/var/log/samba/log.winbindd-idmap". See if you have these errors
also.

[2014/08/06 00:18:06.337996,  3] 
../source3/winbindd/idmap.c:235(idmap_init_domain)
   Could not probe idmap module ad
[2014/08/06 00:18:06.345631,  3] 
../source3/winbindd/idmap.c:230(idmap_init_domain)
   idmap backend ad not found
[2014/08/06 00:18:06.346979,  3] 
../source3/winbindd/idmap.c:235(idmap_init_domain)
   Could not probe idmap module ad
[2014/08/06 00:18:06.361724,  3] 
../source3/winbindd/idmap.c:230(idmap_init_domain)
   idmap backend ad not found
[2014/08/06 00:18:06.363064,  3] 
../source3/winbindd/idmap.c:235(idmap_init_domain)
   Could not probe idmap module ad
[2014/08/06 12:42:28.991266,  3] 
../source3/winbindd/idmap.c:230(idmap_init_domain)
   idmap backend ad not found
[2014/08/06 12:42:28.992717,  3] 
../source3/winbindd/idmap.c:235(idmap_init_domain)
   Could not probe idmap module ad
[2014/08/06 13:44:13.408318,  0] 
../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)

It appears to me that the AD backend is missing, but I compiled this 
from source and maybe there is something I did wrong. If you have the 
same errors maybe we can either discover a bug or a solution.

On 08/11/2014 10:21 AM, Bruno MACADR? wrote:
> Hi,
>
> I successfully set up an AD DC, and now, I want to join a file server 
> as member in this domain.
>
> I followed this tutorial : 
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> All works fine, my server join my AD without problem, samba starts 
> fine and winbind too. But when I look at my domain users, the uid/gid 
> returned by winbind are in the TDB range instead of the AD range.....
>
> This is my smb.conf :
> [global]
>
>    netbios name = filzen
>    workgroup = SAMDOM
>    security = ADS
>    realm = SAMDOM.FR
>    encrypt passwords = yes
>
>    log level = 10
>
>    template homedir = /home/%U
>    template shell = /bin/bash
>
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>
>    idmap config SAMDOM:backend = ad
>    idmap config SAMDOM:range = 20001-70000
>    idmap config SAMDOM:default = yes
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>
> If I type :
> # wbinfo -i administrator
>
> I get :
> administrator:*:70001:70001::/home/administrator:/bin/bash
>
> If I create a user (foo) and trying to obtain his informations :
> # wbinfo -i foo
>
> I get:
> foo:*:70002:70001::/home/foo:/bin/bash
>
> Why winbind doen't use AD range instead of TBD range ? And even if I 
> must use TDB range is there a certainty that this uid/gid are the same 
> over all members ?
>
> Another clue : If I use SAMDOM:backend = rid the users receive a 
> uid/gid in SAMDOM range and not in TDB range (maybe a bug in ad 
> backend ?)
>
> Thanks for any answers
> Regards,
> Bruno.
>

I forgot to tell you, if you are pulling from the TDB range, your ID 
numbers will NOT be the same across member servers. That is what I have 
been working on for a month now. I have two member servers and they keep 
pulling from the TDB range, causing a user to have an ID of 70001 on one 
member server but 70004 on the other. Both servers claim they cannot 
probe the idmap ad module.

On 08/11/2014 10:21 AM, Bruno MACADR? wrote:
> Hi,
>
> I successfully set up an AD DC, and now, I want to join a file server 
> as member in this domain.
>
> I followed this tutorial : 
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> All works fine, my server join my AD without problem, samba starts 
> fine and winbind too. But when I look at my domain users, the uid/gid 
> returned by winbind are in the TDB range instead of the AD range.....
>
> This is my smb.conf :
> [global]
>
>    netbios name = filzen
>    workgroup = SAMDOM
>    security = ADS
>    realm = SAMDOM.FR
>    encrypt passwords = yes
>
>    log level = 10
>
>    template homedir = /home/%U
>    template shell = /bin/bash
>
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>
>    idmap config SAMDOM:backend = ad
>    idmap config SAMDOM:range = 20001-70000
>    idmap config SAMDOM:default = yes
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>
> If I type :
> # wbinfo -i administrator
>
> I get :
> administrator:*:70001:70001::/home/administrator:/bin/bash
>
> If I create a user (foo) and trying to obtain his informations :
> # wbinfo -i foo
>
> I get:
> foo:*:70002:70001::/home/foo:/bin/bash
>
> Why winbind doen't use AD range instead of TBD range ? And even if I 
> must use TDB range is there a certainty that this uid/gid are the same 
> over all members ?
>
> Another clue : If I use SAMDOM:backend = rid the users receive a 
> uid/gid in SAMDOM range and not in TDB range (maybe a bug in ad 
> backend ?)
>
> Thanks for any answers
> Regards,
> Bruno.
>