[Samba] idmap_ad and multiple domians

Tue, 19 Feb 2008 06:44:15 -0800

Has anyone else gotten samba functioning with idmap_ad and multiple domains? In our environment we have a domain with two child domains. There is one child domain for students, and another for faculty staff. Our servers are joined to the student domain, but need to be able to enumerate users in the staff domain.
When attempting to lookup a user (wbinfo -i 'NAU\car3') that only exists in the staff domain, I see this in the log.winbindd-idmap: 

[2008/02/19 07:34:25, 4] nsswitch/winbindd_dual.c:fork_domain_child(1054)
  child daemon request 48
[2008/02/19 07:34:25, 10] nsswitch/winbindd_dual.c:child_process_request(479)
  process_request: request fn DUAL_SID2UID
[2008/02/19 07:34:25, 3] nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374)
  [ 8151]: sid to uid S-1-5-21-20713206-1263413069-421607344-5886
[2008/02/19 07:34:25, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(105)
  idmap_sid_to_uid: sid = [S-1-5-21-20713206-1263413069-421607344-5886]
[2008/02/19 07:34:25, 10] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1115)
  Query backends to map sids->ids
[2008/02/19 07:34:25, 10] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1140)

  SID S-1-5-21-20713206-1263413069-421607344-5886 is being handled by 
NAU-STUDENTS

[2008/02/19 07:34:25, 10] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1161)
  Query ids from domain NAU-STUDENTS

[2008/02/19 07:34:25, 7] 
nsswitch/idmap_ad.c:ad_idmap_cached_connection_internal(77)

  Current tickets expire in 35983 seconds (at 1203467648, time is now 
1203431665)
[2008/02/19 07:34:25, 10] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(543)

  Filter: 
[(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\F6\0E\3C\01\4D\27\4E\4B\B0\37\21\19\FE\16\00\00)))]

[2008/02/19 07:34:25, 5] libads/ldap_utils.c:ads_do_search_retry_internal(64)

  Search for 
(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\F6\0E\3C\01\4D\27\4E\4B\B0\37\21\19\FE\16\00\00))) 
in <dc=STUDENTS,dc=FROOT,dc=NAU,dc=EDU> gave 0 replies

[2008/02/19 07:34:25, 10] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(553)
  No IDs found
[2008/02/19 07:34:25, 10] nsswitch/idmap.c:idmap_can_map(918)
  idmap backend for SID S-1-5-21-20713206-1263413069-421607344-5886 is READONLY!
[2008/02/19 07:34:25, 10] 
nsswitch/idmap_cache.c:idmap_cache_set_negative_sid(258)

  Adding cache entry with key = 
IDMAP/SID/S-1-5-21-20713206-1263413069-421607344-5886; value = 
1203431785/IDMAP/NEGATIVE and timeout = Tue Feb 19 07:36:25 2008

   (120 seconds ahead)
[2008/02/19 07:34:25, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(125)
  sid [S-1-5-21-20713206-1263413069-421607344-5886] not mapped to an uid [2,1,0]
[2008/02/19 07:34:25, 10] nsswitch/winbindd_cache.c:cache_store_response(2260)
  Storing response for pid 8153, len 3240
[2008/02/19 07:34:25, 10] lib/events.c:get_timed_events_timeout(295)
  timed_events_timeout: 277/780278
[2008/02/19 07:39:02, 10] lib/events.c:run_events(240)
  Running event "async_request_timeout" 2c6fd0

[2008/02/19 07:39:02, 0] 
nsswitch/winbindd_dual.c:async_request_timeout_handler(181)
  async_request_timeout_handler: child pid 8152 is not responding. Closing 
connection to it.

[2008/02/19 07:39:02, 10] lib/events.c:timed_event_destructor(66)
  Destroying timed event 2c6fd0 "async_request_timeout"
[2008/02/19 07:39:02, 5] nsswitch/winbindd_dual.c:async_reply_recv(263)
  Could not receive async reply from child pid 8152
[2008/02/19 07:39:02, 5] nsswitch/winbindd_util.c:init_child_recv(425)
  Received child initialization response for domain NAU-STUDENTS
[2008/02/19 07:39:02, 3] nsswitch/winbindd_util.c:init_child_recv(428)
  Could not init child
[2008/02/19 07:39:02, 5] nsswitch/winbindd_dual.c:domain_init_recv(402)
  Domain init returned an error
[2008/02/19 07:39:02, 1] nsswitch/winbindd_util.c:trustdom_recv(235)
  Could not receive trustdoms


log.winbindd prints out:

[2008/02/19 07:34:25, 10] 
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
  Retrieving response for pid 8153
[2008/02/19 07:34:25, 5] nsswitch/winbindd_async.c:winbindd_sid2uid_recv(347)
  sid2uid returned an error
[2008/02/19 07:34:25, 5] nsswitch/winbindd_user.c:getpwsid_sid2uid_recv(266)
  Could not query uid for user NAU\car3




Both the student and faculty domains have the rfc2307 attributes set, so I am 
unsure as to why I am only able to lookup users in the NAU-STUDENTS domain and 
not the NAU domain.


Any thoughts?

Thanks,
Christian
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba














    











					Reply via email to