Daniel,
On May 18, 2011, at 12:00 AM, Zabel, Daniel wrote:
I've looked at that file; it's empty. (Not a single entry.) I run
my tests with "winbindd -n -d 10 -D".
Try to add to your smb.conf:
log level = 3 idmap:10 winbind:10
to force idmap Logging also to Debuglevel 10.
I've discovered that Samba is writing to log files under /usr/local/
samba/var, as well as to files under /var/log/samba. (Why is it doing
that?
In smb.conf it is told to put log files in /var/log/samba.) Anyway,
now I can see that idmap_ad is being called and is making log entries at
debug level 10.
This enabled me to see that my "idmap config SU : range" settings were
wrong -- I was filtering out values I wanted to see. Once I set the
ranges correctly, "wbinfo -S" started to work. (I can now map a user
SID to the correct Unix numerical UID.) The other wbinfo mappings
still fail: U, G, and Y.
Did "net ads testjoin" and "net ads info" work?
Yes, both these commands work.
Nsswicth.conf is important!
Should look like this:
passwd: files winbind
group: files winbind
I've configured my nsswitch.conf like this, but it made no difference.
These winbind relevant seetings I have also in my config
winbind nss info = rfc2307 template
winbind normalize names = yes
winbind use default domain = yes
winbind offline logon = yes
winbind cache time = 180
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind trusted domains only = no
Thanks; I altered my config to match these settings, but again, it
didn't affect my wbinfo tests.
--
Kai Lanz
On May 17, 2011, at 5:50 AM, Zabel, Daniel wrote:
Have a look at:
log.winbindd-idmap
I've looked at that file; it's empty. (Not a single entry.) I run my
tests with "winbindd -n -d 10 -D".
Also have a look at:
https://bugzilla.samba.org/show_bug.cgi?id=6322
Now, this is interesting! The problem Edgar Holleis describes sounds
exactly like the one I am facing. See my post to the Samba mailing
list, "Winbindd can't convert between SIDs and uid/gid". Edgar said:
Winbind correctly resolves:
User-Name->SID (wbinfo -n), Group-Name->SID (wbinfo -s)
What doesn't work:
SID->UID (wbinfo -S), UID->SID (wbinfo -U), GID (wbinfo -Y), GID->UID
SID->(wbinfo -G)
(Except, "wbinfo -s" is SID->User-name, the reverse of "wbinfo -n",
not Group-Name->SID as Edgar wrote...) That's the same pattern of
success and failure I get in my wbinfo tests.
So, how does one go from Edgar's bug report, with 4 failing wbinfo
queries, to your comment, "wbinfo resolves everything correctly"?
I'm running samba-3.5.8 on OpenSolaris.
Following Michael Adam's example, I tried the following in my
smb.conf:
idmap backend = tdb
idmap uid = 50000 - 99999
idmap gid = 50000 - 99999
idmap config SU : backend = ad
idmap config SU : schema_mode = rfc2307
idmap config SU : range = 10000 - 29999
idmap config WIN : backend = ad
idmap config WIN : schema_mode = rfc2307
idmap config WIN : range = 30000 - 49999
Note the disjoint ranges for each domain. I still get the same
failures with wbinfo S, U, G, and Y. It seems I'm still missing
something, since our wbinfo doesn't "resolve everything correctly".
Is nsswitch.conf important, perhaps? It doesn't seem to make any
difference whether I add "winbind" to the passwd and group lines or
not. Is that expected?
--
Kai Lanz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
