David Eisner wrote: > I'm running Samba 3.0.28a on a CentOS 3.9 box as a member of an AD > domain whose PDC is a W2k3 server (Standard x64 R2 SP2). > > Using wbinfo -u and wbinfo -g I can see domain users and groups from > the CentOS box, but getent (passwd|group) fails to display them. The > nsswitch is setup correctly, as far as I can tell. When I tail -f the > samba log file during a getent query, I see that winbindd is having > problems mapping the sid to the uid or gid ("sid2uid returned an > error"). > > Furthermore, wbinfo -n can find the SID for a user or group, but it > can't preform the inverse mapping. > > In the following example, 'deisner' and 'unixusers' are a domain user > and group, respectively. > >>From the CentOS box (with intentional SID obfuscation): > > $ wbinfo -u |grep deisner > deisner > $ wbinfo -n deisner > S-1-5-21-**********6 User (1) > $ wbinfo -S S-1-5-21-**********6 > Could not convert sid S-1-5-21-**********6 to uid > $ wbinfo -g |grep unixusers > unixusers > $ wbinfo -n unixusers > S-1-5-21-**********8 Domain Group (2) > $ wbinfo -Y S-1-5-21-**********8 > Could not convert sid S-1-5-21-**********8 to gid > > In the log file, I see this: > [2008/03/10 18:37:58, 10] > nsswitch/winbindd_cache.c:cache_retrieve_response(2300) > Retrieving response for pid 6274 > [2008/03/10 18:37:58, 5] > nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527) > sid2gid returned an error > [2008/03/10 18:37:58, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254) > Could not convert sid S-1-5-21-*8 > > > I'm using the SFU schema. In AD I have uids and gids assigned to the > user and group, in the Unix Attributes tab, with values in the range > I've specified for the idmap range. Here is my smb.conf: > > > [global] > workgroup = THEDOMAIN > server string = Centos Samba Server > hosts allow = xxx.y. xxx.y. 127. # obfuscated > printcap name = CUPS > load printers = yes > cups options = raw > log file = /usr/local/samba/var/log.smbd > security = ads > encrypt passwords = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > dns proxy = no > unix charset = LOCALE > netbios name = LDAP > realm = THEDOMAIN.FOO.ORG > use kerberos keytab = Yes > idmap domains = THEDOMAIN > idmap config THEDOMAIN:backend = ad > idmap config THEDOMAIN:default = yes > idmap config THEDOMAIN:schema_mode = sfu > idmap config THEDOMAIN:range = 10000 - 300000000 > log level = 1 > syslog = 0 > winbind use default domain = yes > winbind nested groups = yes > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/windows/%D/%U > template shell = /bin/bash > allow trusted domains = no
Try adding to global section: winbind nss info = sfu Right now you're defaulting to "template". Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba