Hi Kai,
> I've looked at that file; it's empty. (Not a single entry.) I run my tests
> with "winbindd -n -d 10 -D".
Try to add to your smb.conf:
log level = 3 idmap:10 winbind:10
to force idmap Logging also to Debuglevel 10.
> Note the disjoint ranges for each domain. I still get the same failures with
> wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo
> doesn't "resolve everything correctly". Is nsswitch.conf important, perhaps?
> It doesn't seem to make any difference whether I add "winbind" to the passwd
> and group lines or not. Is that expected?
Did "net ads testjoin" and "net ads info" work?
Nsswicth.conf is important!
Should look like this:
passwd: files winbind
group: files winbind
These winbind relevant seetings I have also in my config
winbind nss info = rfc2307 template
winbind normalize names = yes
winbind use default domain = yes
winbind offline logon = yes
winbind cache time = 180
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind trusted domains only = no
Cheers,
Daniel
Hi Daniel,
On May 17, 2011, at 5:50 AM, Zabel, Daniel wrote:
> Have a look at:
>
> log.winbindd-idmap
I've looked at that file; it's empty. (Not a single entry.) I run my tests with
"winbindd -n -d 10 -D".
> Also have a look at:
> https://bugzilla.samba.org/show_bug.cgi?id=6322
Now, this is interesting! The problem Edgar Holleis describes sounds exactly
like the one I am facing. See my post to the Samba mailing list, "Winbindd
can't convert between SIDs and uid/gid". Edgar said:
> Winbind correctly resolves:
> User-Name->SID (wbinfo -n), Group-Name->SID (wbinfo -s)
> What doesn't work:
> SID->UID (wbinfo -S), UID->SID (wbinfo -U), GID (wbinfo -Y), GID->UID
> SID->(wbinfo -G)
(Except, "wbinfo -s" is SID->User-name, the reverse of "wbinfo -n", not
Group-Name->SID as Edgar wrote...) That's the same pattern of success and
failure I get in my wbinfo tests.
So, how does one go from Edgar's bug report, with 4 failing wbinfo queries, to
your comment, "wbinfo resolves everything correctly"? I'm running samba-3.5.8
on OpenSolaris.
Following Michael Adam's example, I tried the following in my smb.conf:
idmap backend = tdb
idmap uid = 50000 - 99999
idmap gid = 50000 - 99999
idmap config SU : backend = ad
idmap config SU : schema_mode = rfc2307
idmap config SU : range = 10000 - 29999
idmap config WIN : backend = ad
idmap config WIN : schema_mode = rfc2307
idmap config WIN : range = 30000 - 49999
Note the disjoint ranges for each domain. I still get the same failures with
wbinfo S, U, G, and Y. It seems I'm still missing something, since our wbinfo
doesn't "resolve everything correctly". Is nsswitch.conf important, perhaps? It
doesn't seem to make any difference whether I add "winbind" to the passwd and
group lines or not. Is that expected?
> -----Ursprüngliche Nachricht-----
> Von: samba-boun...@lists.samba.org
> [mailto:samba-boun...@lists.samba.org
> ] Im Auftrag von Kai Lanz
> Gesendet: Dienstag, 17. Mai 2011 02:56
> An: samba@lists.samba.org
> Betreff: [Samba] How can I confirm that idmap_ad is being used?
>
>
> How can I confirm that idmap_ad is being called?
>
> I've configured Samba with --with-shared-modules=idmap_ad, built and
> installed it; the file ad.so is now present in /usr/local/samba/lib/
> idmap/ as expected. I then added the following to smb.conf:
>
> idmap backend = tdb
> idmap uid = 65536 - 999999
> idmap gid = 65536 - 999999
>
> idmap config SU : backend = ad
> idmap config SU : schema_mode = rfc2307
> idmap config SU : range = 1 - 65535
> idmap config WIN : backend = ad
> idmap config WIN : schema_mode = rfc2307
> idmap config WIN : range = 1 - 65535
>
> Now I fire up winbindd with debug-level = 10, and issue some queries
> via wbinfo. Some requests work as expected, some fail, but when I look
> in log.winbindd I never see any reference to idmap.c or idmap_ad.c.
> I'd like to confirm that this module is being used.
>
> I went so far as to deliberately break the smb.conf by specifying
>
> idmap config SU range = 1 -
>
> which I expected to produce an error from idmap_ad_initialize(),
> "invalid filter range". But that message is never logged; instead I
> see only errors from winbindd_util.c, add_trusted_domain():
>
> [2011/05/16 16:57:11.442318, 1] winbindd/winbindd_util.c:
> 204(add_trusted_domain)
> invalid range syntax in idmap config SU: 1 -
>
> Have I missed out on some crucial bit of configuration that's required
> to enable idmap_ad?
>
> --
> Kai Lanz Stanford University School of Earth Sciences
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
Kai Lanz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
