I'm running Samba 3.0.28a on a CentOS 3.9 box as a member of an AD domain whose PDC is a W2k3 server (Standard x64 R2 SP2).
Using wbinfo -u and wbinfo -g I can see domain users and groups from the CentOS box, but getent (passwd|group) fails to display them. The nsswitch is setup correctly, as far as I can tell. When I tail -f the samba log file during a getent query, I see that winbindd is having problems mapping the sid to the uid or gid ("sid2uid returned an error"). Furthermore, wbinfo -n can find the SID for a user or group, but it can't preform the inverse mapping. In the following example, 'deisner' and 'unixusers' are a domain user and group, respectively. >From the CentOS box (with intentional SID obfuscation): $ wbinfo -u |grep deisner deisner $ wbinfo -n deisner S-1-5-21-**********6 User (1) $ wbinfo -S S-1-5-21-**********6 Could not convert sid S-1-5-21-**********6 to uid $ wbinfo -g |grep unixusers unixusers $ wbinfo -n unixusers S-1-5-21-**********8 Domain Group (2) $ wbinfo -Y S-1-5-21-**********8 Could not convert sid S-1-5-21-**********8 to gid In the log file, I see this: [2008/03/10 18:37:58, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 6274 [2008/03/10 18:37:58, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527) sid2gid returned an error [2008/03/10 18:37:58, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254) Could not convert sid S-1-5-21-*8 I'm using the SFU schema. In AD I have uids and gids assigned to the user and group, in the Unix Attributes tab, with values in the range I've specified for the idmap range. Here is my smb.conf: [global] workgroup = THEDOMAIN server string = Centos Samba Server hosts allow = xxx.y. xxx.y. 127. # obfuscated printcap name = CUPS load printers = yes cups options = raw log file = /usr/local/samba/var/log.smbd security = ads encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no unix charset = LOCALE netbios name = LDAP realm = THEDOMAIN.FOO.ORG use kerberos keytab = Yes idmap domains = THEDOMAIN idmap config THEDOMAIN:backend = ad idmap config THEDOMAIN:default = yes idmap config THEDOMAIN:schema_mode = sfu idmap config THEDOMAIN:range = 10000 - 300000000 log level = 1 syslog = 0 winbind use default domain = yes winbind nested groups = yes winbind enum users = yes winbind enum groups = yes template homedir = /home/windows/%D/%U template shell = /bin/bash allow trusted domains = no [homes] comment = Home Directories browseable = no writable = yes read only = No valid users = %D\%U [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [voltest] admin users = THEDOMAIN\administrator comment = Volume Test path = /home/voltest public = no writable = yes store dos attributes = yes nt acl support = yes map acl inherit = yes Running Wireshark on the W2k3 server, I can see the CentOS box making the LsarLookupSids request and getting a response (though the content is encrypted so I can't see the details). Can anybody see anything obviously wrong? Does anybody have this working? Thanks! -David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba