Hi Kai, > I've looked at that file; it's empty. (Not a single entry.) I run my tests > with "winbindd -n -d 10 -D".
Try to add to your smb.conf: log level = 3 idmap:10 winbind:10 to force idmap Logging also to Debuglevel 10. > Note the disjoint ranges for each domain. I still get the same failures with > wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo > doesn't "resolve everything correctly". Is nsswitch.conf important, perhaps? > It doesn't seem to make any difference whether I add "winbind" to the passwd > and group lines or not. Is that expected? Did "net ads testjoin" and "net ads info" work? Nsswicth.conf is important! Should look like this: passwd: files winbind group: files winbind These winbind relevant seetings I have also in my config winbind nss info = rfc2307 template winbind normalize names = yes winbind use default domain = yes winbind offline logon = yes winbind cache time = 180 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind trusted domains only = no Cheers, Daniel Hi Daniel, On May 17, 2011, at 5:50 AM, Zabel, Daniel wrote: > Have a look at: > > log.winbindd-idmap I've looked at that file; it's empty. (Not a single entry.) I run my tests with "winbindd -n -d 10 -D". > Also have a look at: > https://bugzilla.samba.org/show_bug.cgi?id=6322 Now, this is interesting! The problem Edgar Holleis describes sounds exactly like the one I am facing. See my post to the Samba mailing list, "Winbindd can't convert between SIDs and uid/gid". Edgar said: > Winbind correctly resolves: > User-Name->SID (wbinfo -n), Group-Name->SID (wbinfo -s) > What doesn't work: > SID->UID (wbinfo -S), UID->SID (wbinfo -U), GID (wbinfo -Y), GID->UID > SID->(wbinfo -G) (Except, "wbinfo -s" is SID->User-name, the reverse of "wbinfo -n", not Group-Name->SID as Edgar wrote...) That's the same pattern of success and failure I get in my wbinfo tests. So, how does one go from Edgar's bug report, with 4 failing wbinfo queries, to your comment, "wbinfo resolves everything correctly"? I'm running samba-3.5.8 on OpenSolaris. Following Michael Adam's example, I tried the following in my smb.conf: idmap backend = tdb idmap uid = 50000 - 99999 idmap gid = 50000 - 99999 idmap config SU : backend = ad idmap config SU : schema_mode = rfc2307 idmap config SU : range = 10000 - 29999 idmap config WIN : backend = ad idmap config WIN : schema_mode = rfc2307 idmap config WIN : range = 30000 - 49999 Note the disjoint ranges for each domain. I still get the same failures with wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo doesn't "resolve everything correctly". Is nsswitch.conf important, perhaps? It doesn't seem to make any difference whether I add "winbind" to the passwd and group lines or not. Is that expected? > -----Ursprüngliche Nachricht----- > Von: samba-boun...@lists.samba.org > [mailto:samba-boun...@lists.samba.org > ] Im Auftrag von Kai Lanz > Gesendet: Dienstag, 17. Mai 2011 02:56 > An: samba@lists.samba.org > Betreff: [Samba] How can I confirm that idmap_ad is being used? > > > How can I confirm that idmap_ad is being called? > > I've configured Samba with --with-shared-modules=idmap_ad, built and > installed it; the file ad.so is now present in /usr/local/samba/lib/ > idmap/ as expected. I then added the following to smb.conf: > > idmap backend = tdb > idmap uid = 65536 - 999999 > idmap gid = 65536 - 999999 > > idmap config SU : backend = ad > idmap config SU : schema_mode = rfc2307 > idmap config SU : range = 1 - 65535 > idmap config WIN : backend = ad > idmap config WIN : schema_mode = rfc2307 > idmap config WIN : range = 1 - 65535 > > Now I fire up winbindd with debug-level = 10, and issue some queries > via wbinfo. Some requests work as expected, some fail, but when I look > in log.winbindd I never see any reference to idmap.c or idmap_ad.c. > I'd like to confirm that this module is being used. > > I went so far as to deliberately break the smb.conf by specifying > > idmap config SU range = 1 - > > which I expected to produce an error from idmap_ad_initialize(), > "invalid filter range". But that message is never logged; instead I > see only errors from winbindd_util.c, add_trusted_domain(): > > [2011/05/16 16:57:11.442318, 1] winbindd/winbindd_util.c: > 204(add_trusted_domain) > invalid range syntax in idmap config SU: 1 - > > Have I missed out on some crucial bit of configuration that's required > to enable idmap_ad? > > -- > Kai Lanz Stanford University School of Earth Sciences > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- Kai Lanz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba