It turns out that setting idmap config * : ad was the cause of my failures. For some reason, that backend is not compiled into the Ubuntu packages (or at least, when I ran with debug = 3 for winbind, I saw that the backend 'ad' was failing to load.
It does seem, from my very non-scientific study of the list over the past few days, that a large number of questions seem to be focused on connecting samba with AD. Hopefully this can be made more rock-solid in the future. regards, -Nick On Jul 11, 2012, at 10:50 AM, Rowland Penny wrote: > On 11/07/12 17:38, Nick Triantos wrote: >> Hi Rowland, >> >> Yes, I've added their unix attributes. >> >> It looks like there is a long-open bug in winbind/samba 3.6.x that may be >> causing the error below (https://bugzilla.samba.org/show_bug.cgi?id=8676). >> I'm now stuck behind that so I'm trying to downgrade to 3.5.x. >> >> regards, >> -Nick >> >> On Jul 11, 2012, at 7:05 AM, Rowland Penny wrote: >> >>> On 11/07/12 01:57, Nick Triantos wrote: >>>> Thanks Robert. >>>> >>>> I've tried switching over to the AD back-end (which does sound like what I >>>> want), but I still receive only the errors: >>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >>>> >>>> I restarted both winbind and smbd after changing the config. Is there some >>>> cache I have to flush, or some other config that needs to be changed >>>> beyond the settings in smb.conf? >>>> >>>> thanks again! >>>> -Nick >>>> >>>> My updated smb.conf: >>>> >>>> workgroup = CORP >>>> security = ADS >>>> #password server = 192.168.77.251 >>>> realm = CORP.MYCOMPANY.COM >>>> allow trusted domains = yes >>>> winbind use default domain = yes >>>> winbind nested groups = YES >>>> idmap config CORP : backend = ad >>>> idmap config CORP : default = yes >>>> idmap config CORP : schema_mode = rfc2307 >>>> idmap config CORP : range = 800 - 99999 >>>> >>>> >>>> On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote: >>>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> - -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> Nick, >>>>> >>>>> I think what you may be looking for is the ad backend: >>>>> >>>>> https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html >>>>> >>>>> Since you are using tdb in your config, it is using a local database >>>>> and allocates UID/GIDs on the fly...first come, first served. So a >>>>> user may not get the same UID from one machine to the next. >>>>> >>>>> Robert >>>>> >>>>> On 07/10/2012 12:20 AM, Nick Triantos wrote: >>>>>> Hi, >>>>>> >>>>>> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and >>>>>> Winbind to map userids and groups to the unix attributes in an AD >>>>>> 2008 server. I can see that when I perform an ldapsearch, I'm able >>>>>> to read the attributes, and for one of my accounts, the id should >>>>>> be 1001. However, when I run 'wbinfo -i<username>', I get back >>>>>> something like 920. >>>>>> >>>>>> At one point, I was setting the idmap range to start at 900, but >>>>>> I've since removed that from my config, and restarted winbindd and >>>>>> smbd. I've also tried to 'net cache flush'. >>>>>> >>>>>> I also see wbinfo -i<someuser> usually returns: failed to call >>>>>> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user >>>>>> <someuser> >>>>>> >>>>>> The relevant parts of my smb.conf are below. I've tried patching >>>>>> this together from various tuts and help pages. Any guidance would >>>>>> be very helpful. >>>>>> >>>>>> thanks! -Nick >>>>>> >>>>>> [global] workgroup = CORP security = ADS password server = >>>>>> 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = >>>>>> yes winbind use default domain = yes winbind nested groups = YES >>>>>> idmap config CORP : backend = tdb idmap config CORP : default = yes >>>>>> idmap config CORP : schema_mode = rfc2307 idmap config CORP : range >>>>>> = 1000 - 9999 idmap config * : backend = tdb encrypt passwords = >>>>>> true obey pam restrictions = yes client use spnego = yes client >>>>>> ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 >>>>>> unix password sync = yes winbind enum groups = yes winbind enum >>>>>> users = yes winbind nss info = rfc2307 >>>>>> >>>>>> >>>>> - - -- >>>>> ________ >>>>> >>>>> Robert Freeman-Day >>>>> >>>>> https://launchpad.net/~presgas >>>>> GPG Public Key: >>>>> http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 >>>>> >>>>> >>>>> - -----BEGIN PGP SIGNATURE----- >>>>> Version: GnuPG v1.4.11 (GNU/Linux) >>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >>>>> >>>>> iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ >>>>> AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y >>>>> =yLz3 >>>>> - -----END PGP SIGNATURE----- >>>>> -----BEGIN PGP SIGNATURE----- >>>>> Version: GnuPG v1.4.11 (GNU/Linux) >>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >>>>> >>>>> iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+ >>>>> 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb >>>>> =eagU >>>>> -----END PGP SIGNATURE----- >>> Hi, just a thought, have you added the RFC2307 uid/gid values to your users >>> on the AD server? if you haven't, there will be nothing to find and it may >>> throw the error that you are getting. >>> >>> Rowland >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> > > I am playing about with this on a Xubuntu 12.04 client against a Samba4 > server (Ubuntu 12.04 server) and it seems to be working for me (mostly) > > I have: > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind normalize names = Yes > idmap config HOME:schema_mode = rfc2307 > idmap config HOME:range = 210000-3100000 > idmap config HOME:backend = ad > idmap config * : range = 210000-3100000 > idmap config * : backend = tdb > > in /etc/samba/smb.conf > > wbinfo -u returns all AD users > wbinfo -g returns all AD groups > getent passwd returns all local & AD unixusers > getent group returns local users but no AD unixusers, but > getent group linuxusers returns the AD info for the unix group > > Hope this helps. > > Rowland > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba