[Samba] Winbindd can't load Idmap OU with SID-uid mappings

Tue, 20 Apr 2004 15:02:07 -0700

I'm running Samba 3.0.2a on Solaris 9. My shop also runs Active Directory on W2K (SP4). In an attempt to build a single sign-on solution, I thought I'd get Samba to allow Windows 2000 users to telnet/rlogin/ftp to my UNIX boxes without requiring those users to have a UNIX account.

The Samba dox claim this is possible, because winbindd will map the AD account SID to a UNIX userid, and will store that mapping in the winbindd_idmap.tdb file.

This works just fine. AD users can map drives and can connect to the UNIX box through telnet, rlogin, or ftp. They do not need a UNIX account.

Problem solved? Not quite. I have many UNIX boxes, and because the Samba shares are NFS-mounted to these boxes, I have to ensure that the SID-uid mapping is consistent across all machines. Samba will do this by keeping the mapping in an OU created in the AD tree. I created that OU, and called it Idmap.

For the life of me, though, I can't get Samba to store the mapping in the OU. It continues to store it in the winbindd_idmap file.

My Solaris box is running Solaris 9, with patch 113476-13, MIT Kerberos 1.3.1, and OpenLDAP 2.2.5 (because Samba needs the LDAP stuff to compile).

Samba was configured with these options:

 ./configure --prefix=/opt/samba                    \
               --with-syslog                        \
               --with-utmp                          \
               --with-codepagedir=/var/samba/code   \
               --with-configdir=/var/samba/conf     \
               --with-lockdir=/var/samba/lock       \
               --with-privatedir=/var/samba/private \
               --with-swatdir=/var/samba/swat       \
               --with-logfilebase=/var/samba/log    \
               --datadir=/var/samba/share           \
               --localstatedir=/var/samba/var       \
               --sharedstatedir=/var/samba/com      \
               --sysconfdir=/var/samba/etc          \
               --with-acl-support                   \
               --with-krb5=/opt/kerberos            \
               --with-winbind                       \
               --with-ldap                          \
               --with-ldapsam

The global portion of my smb.conf is:

[global]
       workgroup = AD_DOMAIN
       realm = INTERNAL_DOMAIN.COM
       server string = Test server
       security = ADS
       password server = ad1.internal_domain.com ad2.internal_domain.com
       lanman auth = No
       ntlm auth = No
       client NTLMv2 auth = Yes
       client lanman auth = No
       client plaintext auth = No
       log level = 2
       disable netbios = Yes
       name resolve order = host
       load printers = No
       os level = 0
       lm announce = No
       preferred master = No
       local master = No
       domain master = No
       dns proxy = No
       ldap suffix = dc=internal_domain,dc=com
       ldap idmap suffix = ou=Idmap,dc=internal_domain,dc=com
       ldap admin dn = cn=Administrator,ou=Users,dc=internal_domain,dc=com
       ldap ssl = no
       idmap uid = 10000-20000
       idmap gid = 10000-20000
       template shell = /bin/ksh
       winbind separator = +
       hosts allow = 198.161.66., 192.168.100.
       wide links = No

I know the problem isn't with pam.conf or nsswitch.conf, since my AD users can connect to the Solaris box without any problems.

When I try to connect, I get this error message on the Samba server:

'failed to bind to server with dn= cn=Administrator,ou=Users,dc=internal_domain,dc=com Error: Can't contact LDAP server'

Well, I know the LDAP server works. Running both 'wbinfo -u' and 'getent passwd' shows the AD accounts.

Am I missing something obvious here? 

Erwin Fritz
Network Administrator
Gilbert Laustsen Jung Associates Ltd.


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to