No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space.
Adrian Chow wrote:
Hi Igor,
I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory.
1. What are the settings of your winbind?
I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 10000-20000 idmap gid = 10000-20000
To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following:
wbinfo -n 'STAFF\wheel'
wbinfo -Y <SID return in a previous command>
2. Do you use only "winbind" in your libnss_ldap or use "ldap" as well?In my /etc/nsswitch.conf I have only "ldap" without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains.
I don't know why would you want to put winbind into libnss_ldap which is configuration for LDAP interface for NSS (when you use 'ldap' in /etc/nssswitch.conf file)
3. My winbind works with :-Do you mean that this error message was reported during "getent group" in DomainB? Because, without this error message I would assume that you have winbind written in /etc/nsswithc.conf on your DomainA server but not on your DomainB server.
(For both sides)
wbinfo -t
wbinfo -p
wbinfo -u
wbinfo -g
getent passwd
(For DomainA)
"getent group" shows all the local groups and also the groups shown in "wbinfo -g"
(For DomainB)
"getent group" shows all the local groups and only the GUESTs group. Very weird. The rest of the groups in "wbinfo -g" does not come up.
The logs is something like this:- -----------------------------------
nsswitch/winbindd_group.c:fill_grent_mem(133) could not lookup membership for group rid S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: NT_STATUS_NO_SUCH_GROUP) [2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795) could not lookup domain group STAFF\wheel
---------------------------------------
The error message means that Samba thinks that 'wheel' is a Domain group of the 'STAFF' domain and fails to find its mapping. I would expect this error to come up during login of a Domain user whose primary group is a local 'wheel' group instead of a Domain group. If this user is supposed to have 'wheel' as a primary group you probably forgot to create a groupmap from a Domain group for it.
Igor
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
