I think you might be missing some stuff in the prior config you had.
The following works for me with Samba 3.6.6 :
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 1000-999999
idmap config MYDOMAIN : base_rid = 0
You need the * entry in there because you need a range for defaults. I
only have a single domain (and yes it's not called "MYDOMAIN":-) ). For
instance, I have log files named:
log.wb-BUILTIN
log.wb-MYDOMAIN
log.wb-HOSTNAME
I do not have the winbind enum groups or users defined in my config
file. The default is no for both. Also, winbind refused to function
properly when I attempted setting the backend for my domain as tdb.
Everywhere I've read, rid is safe for multiple domains and multiple
winbind enabled systems, so long as those ranges are consistent
throughout your winbind systems' config settings, and they have
completely separate ranges. They must not overlap!
Sample output:
[hchoi@HOSTNAME hchoi](30)# wbinfo -i hchoi
hchoi:*:2601:1513::/home/hchoi:/bin/bash
[hchoi@HOSTNAME hchoi](31)# id hchoi
uid=2601(hchoi) gid=1513(domain users) groups=1513(domain
users),...,1000001(BUILTIN\users)
[hchoi@HOSTNAME hchoi](34)# wbinfo -i administrator
administrator:*:1500:1513::/home/administrator:/bin/bash
[hchoi@HOSTNAME hchoi](32)# id administrator
uid=1500(administrator) gid=1513(domain users) groups=1513(domain
users),1520(group policy creator owners),1512(domain
admins),2106(organization management),1519(enterprise
admins),1518(schema
admins),1000001(BUILTIN\users),1000000(BUILTIN\administrators)
My remaining smb.conf:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.NET
server string = Linux Server
security = ADS
ntlm auth = No
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
max log size = 1000
max protocol = SMB2
load printers = No
printcap name = /dev/null
disable spoolss = Yes
wins server = 192.168.10.10, 192.168.10.11
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = Yes
winbind offline logon = Yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
...
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
Hope this helps..
On 07/12/2012 01:06 PM, Kevin Elliott wrote:
I read the bugreport that Dale linked and ended up using the workaround listed
there.
Changes made to '/etc/samba/smb.conf' follow:
@@ -28,9 +28,12 @@
winbind enum users = Yes
winbind enum groups = Yes
panic action = /usr/share/samba/panic-action %d
- idmap config CBJ_NT:backend = rid
- idmap config CBJ_NT:base_rid = 0
- idmap config CBJ_NT:range = 10000-65533
+ idmap config * : backend = rid
+ idmap config * : base_rid = 0
+ idmap config * : range = 10000-65533
idmap config LIBRARY:backend = rid
idmap config LIBRARY:base_rid = 0
idmap config LIBRARY:range = 65535-79999
Does anyone have any idea why not explictly specifying the domain fixes this
issue?
-----Original Message-----
From: Dale Schroeder [mailto:[email protected]]
Sent: Tuesday, July 10, 2012 11:18
To: Kevin Elliott
Cc: [email protected]
Subject: Re: [Samba] Samba 3.6.5, idmap configuration and
WBC_ERR_DOMAIN_NOT_FOUND
On 07/10/2012 12:56 PM, Kevin Elliott wrote:
Hello all,
I recently upgraded from Samba 3.5.6 (the version contained
in Debian Stable) to Samba 3.6.5 (the version from Debian
Backports) in an effort to closer track the current
development to try and chase some long standing bugs out.
I think I've resolved one problem but introduced another.
I'm getting the "WBC_ERR_DOMAIN_NOT_FOUND" when I try to
perform a SID to UID lookup much like so:
city-liza-lnx:/var/log/samba# wbinfo -t checking the trust
secret for
domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba#
wbinfo -n CBJ_NT+kevin_elliott
S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1)
city-liza-lnx:/var/log/samba# wbinfo -s
S-1-5-21-505306839-1977890393-20515302-14949
CBJ_NT+kevin_elliott 1
city-liza-lnx:/var/log/samba# wbinfo -S
S-1-5-21-505306839-1977890393-20515302-14949
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could
not convert
sid S-1-5-21-505306839-1977890393-20515302-14949 to uid
This looks like it has all the markings of following bugreport:
https://bugzilla.samba.org/show_bug.cgi?id=8371#c5
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679
Before I follow this upstream can someone sanity check my
configs for me? I understand that much has changed between
3.5 and 3.6 regarding the idmaping.
[global]
workgroup = CBJ_NT
realm = CBJ.LOCAL
netbios aliases = CITY-LIZA-L90, CITY-LIZA
server string = External FTP Server
interfaces = 199.58.55.87/22, lo
bind interfaces only = Yes
security = ADS
obey pam restrictions = Yes
passdb backend = tdbsam
password server = 199.58.55.25, 199.58.55.50
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
client NTLMv2 auth = Yes
log level = 10
log file = /var/log/samba/log.%m
max log size = 2500
printcap name = cups
os level = 5
local master = No
domain master = No
wins server = 199.58.55.25
ldap ssl = no
winbind enum users = Yes
winbind enum groups = Yes
panic action = /usr/share/samba/panic-action %d
idmap config CBJ_NT:backend = rid
idmap config CBJ_NT:base_rid = 0
idmap config CBJ_NT:range = 10000-65533
idmap config LIBRARY:backend = rid
idmap config LIBRARY:base_rid = 0
idmap config LIBRARY:range = 65535-79999
winbind separator = +
winbind use default domain = Yes
[ftp]
comment = FTP directory
path = /var/ftp/pub/
valid users = "@CBJ_NT+domain users"
read only = No
create mask = 0775
directory mask = 0775
hide unreadable = Yes
Thank you for your consideration.
Kevin,
With idmap rid, it could also be this one:
https://bugzilla.samba.org/show_bug.cgi?id=8676
This bug has been in every version of 3.6. For me, a reboot
of the system usually will fix the problem until the next
samba/winbind restart is required; others have not been so fortunate.
Dale
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
