samba - Aug 2014 - Samba4 and idmap_ad

Hello everyone,

I have a - maybe only cosmetical - problem. I am currently configuring two SLES
servers running Samba4 as member servers in a Windows2008/2012-AD. (Yeah, poor
us!) Everything went fine: installing the samba packages, getting Kerberos
running, and joining the AD. But when I use id or wbinfo now to get user
information I get lots of groups which cannot be mapped a GID and thus are
displayed as -1 or 4294967295:

id DOMAIN\\USER
uid=3611(DOMAIN\\USER) gid=3000(DOMAIN\\PRIMARYGROUP)
groups=3000(DOMAIN\\PRIMARYGROUP),3001(DOMAIN\\OTHERGROUP),4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,2(daemon)

wbinfo -r DOMAIN\\USER
3000
3001
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
2

On another server running Samba3 only the two groups with GID 3000 and 3001 are
shown.

Here are excerpts from my smb.conf:

[global]
        realm = OUR.DOMAIN.NAME
        workgroup = DOMAIN
        security = ads
        idmap config *:backend = tdb
        idmap config *:range = 100000-199999
        idmap config NTKRZ:backend = ad
        idmap config NTKRZ:schema_mode = rfc2307
        idmap config NTKRZ:range = 1000-19999
        winbind nss info = rfc2307
        winbind trusted domains only = No
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = No
        winbind nested groups = Yes
        winbind refresh tickets = Yes
        winbind offline logon = No

Any ideas anyone?

Thanks in advance and greetings from Germany
 Andreas

On Tue, 2014-08-12 at 07:35 +0000, Ollenburg, Andreas (KRZ)
wrote:
> 
> Error verifying signature: parse
> error
> Hello everyone,
> 
> I have a - maybe only cosmetical - problem. I am currently configuring two
SLES servers running Samba4 as member servers in a Windows2008/2012-AD. (Yeah,
poor us!) Everything went fine: installing the samba packages, getting Kerberos
running, and joining the AD. But when I use id or wbinfo now to get user
information I get lots of groups which cannot be mapped a GID and thus are
displayed as -1 or 4294967295:
> 
> id DOMAIN\\USER
> uid=3611(DOMAIN\\USER) gid=3000(DOMAIN\\PRIMARYGROUP)
groups=3000(DOMAIN\\PRIMARYGROUP),3001(DOMAIN\\OTHERGROUP),4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,2(daemon)
> 
> wbinfo -r DOMAIN\\USER
> 3000
> 3001
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> -1
> 2
> 
> On another server running Samba3 only the two groups with GID 3000 and 3001
are shown.
> 
> Here are excerpts from my smb.conf:
> 
> [global]
>         realm = OUR.DOMAIN.NAME
>         workgroup = DOMAIN
>         security = ads
>         idmap config *:backend = tdb
>         idmap config *:range = 100000-199999
>         idmap config NTKRZ:backend = ad
>         idmap config NTKRZ:schema_mode = rfc2307
>         idmap config NTKRZ:range = 1000-19999
>         winbind nss info = rfc2307
>         winbind trusted domains only = No
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = No
>         winbind nested groups = Yes
>         winbind refresh tickets = Yes
>         winbind offline logon = No
> 
> Any ideas anyone?
> 
> Thanks in advance and greetings from Germany
>  Andreas
> 
> 
> 
> --NetatworkMailGateway_e25c4c1f-d9a4-4579-a903-bab2520e63c3--
Yeah, don't we know the feeling. The winbind from openSUSE 13.1 is a
little better and if you're not tied to the contract stranglehold,
building from clean samba source would allow you to dust away the
cobwebs and breath fresh air once again.

If you're under contract, please do share (off list) your experiences
when you call support;)
Cheers,
Steve