samba - Oct 2014 - idmap weirdness - wildcard values being used instead of rfc2307 AD values

I've done a lot of research on this and haven't been able to solve the
problem.  Hopefully someone here has a better understanding of this than I
do.

The problem is that the UIDs and GIDs are not being fetched from AD.  For
example "getent passwd doug" returns:

doug:*:70003:70005:Doug Meredith:/home/DSTRC/doug:/bin/false

My full name has correctly been pulled from AD but the UID specified in AD
is 20001 and the group is 10000.  The values shown above are obviously
coming from the wildcard idmap specified in my smb.conf, but I'm at a loss
as to why.  This occurs for all users and all groups.

Platform is FreeBSD 10 and I'm using Samba 4.1.13.   Full smb.conf is
bellow.  Any help would be very much appreciated.

[global]
   workgroup = DSTRC
   security = ADS
   realm = DSTRC.ORG
   encrypt passwords = yes

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config DSTRC:backend = ad
   idmap config DSTRC:schema_mode = rfc2307
   idmap config DSTRC:range = 500-40000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes

   vfs objects = zfsacl
   map acl inherit = Yes
   store dos attributes = Yes

   printcap name = /dev/null
   load printers = no
   disable spoolss = yes
   printing = bsd

[media]]
   path = /pool1/media
   comment = Movies, TV and music
   read only = no

Doug Meredith schrieb am 30.10.2014 12:29:
> "getent passwd doug" returns:
> 
> doug:*:70003:70005:Doug Meredith:/home/DSTRC/doug:/bin/false
I presume this is "getent passwd" on the member server... 
Does "getent passwd" on the DC work in the right manner?
 
> Platform is FreeBSD 10 and I'm using Samba 4.1.13.   Full smb.conf is
> bellow.  
This configuration looks OK. 
Is the nsswitch.conf also OK? 
Does wbinfo -p/u/g work?
Kerberos kinit/klist OK?
Furthermore the smb.conf on the DC: ist rfc2307 working?
Do You see the rfc2307 fake yp_server in ldb (as described in the wiki)? 

There are still a lot of questions open...

On 30/10/14 11:29, Doug Meredith wrote:
> I've done a lot of research on this and haven't been able to solve
the
> problem.  Hopefully someone here has a better understanding of this than I
> do.
>
> The problem is that the UIDs and GIDs are not being fetched from AD.  For
> example "getent passwd doug" returns:
>
> doug:*:70003:70005:Doug Meredith:/home/DSTRC/doug:/bin/false
>
> My full name has correctly been pulled from AD but the UID specified in AD
> is 20001 and the group is 10000.
Is the computer joined to the domain ? what is the AD DC ? any chance of 
seeing the users entry in AD ? smb.conf appears OK except that what is 
being pulled from AD doesn't seem to include the users unixHomeDirectory 
& loginShell. I wonder if you are mistaking the 'uid' attribute for
the
'uidNumber' attribute ?

Rowland
> The values shown above are obviously
> coming from the wildcard idmap specified in my smb.conf, but I'm at a
loss
> as to why.  This occurs for all users and all groups.
>
> Platform is FreeBSD 10 and I'm using Samba 4.1.13.   Full smb.conf is
> bellow.  Any help would be very much appreciated.
>
> [global]
>     workgroup = DSTRC
>     security = ADS
>     realm = DSTRC.ORG
>     encrypt passwords = yes
>
>     idmap config *:backend = tdb
>     idmap config *:range = 70001-80000
>     idmap config DSTRC:backend = ad
>     idmap config DSTRC:schema_mode = rfc2307
>     idmap config DSTRC:range = 500-40000
>
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
>
>     vfs objects = zfsacl
>     map acl inherit = Yes
>     store dos attributes = Yes
>
>     printcap name = /dev/null
>     load printers = no
>     disable spoolss = yes
>     printing = bsd
>
> [media]]
>     path = /pool1/media
>     comment = Movies, TV and music
>     read only = no