winbind/idmap/AD problem?

> Hi,
>
> I'm running 3.0.28a on Ubuntu 8.04 (their package).  I've got security =
> ads and idmap backend = ad (smb.conf is posted below). I'm using
> libnss-ldap and have ldap in nsswitch.conf (also posted below) and ldap
> connected to the AD server.  I have the drive mounted using acl and
> xattr_user options in fstab (acl is installed).  I can connect to the
> share, I see in the logs that it's picking up the uid and gid from SFU
> in AD, however, when I go into the explorer security tab (on the client)
> and try to add a user it fails.  I don't get an error message within
> windows (the user adding another user is the owner of the file/folder),
> the user just disappears from the list as it refreshes!  On the server
> I'm seeing a lot of this in log.winbindd-idmap
>
> [2008/07/18 09:32:59, 1]
> nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294)
>  ADS uninitialized
>
> Now I don't know if this is related, but if I wbinfo -n wsd\\rippls I
> get a long SID number, if I do wbinfo -s [same SID number] I get wsd
> \rippls.  However, if I do wbinfo -U [uid for same user] I get a
> different SID from before!
>
> I'm trying very hard this summer to make this work so I can retire our
> MS file server, so any help would be appreciated.  I tried this
> initially in Etch, but I that version wasn't handling the connection to
> AD for nss and winbind very well at all, hence I'm trying in Ubuntu.
>
> Thanks!
>
>
> ====smb.conf=====
>
> [global]
>
>   workgroup = WSD
>   realm = woodland.wednet.edu
>   server string = %h server
>
>   log file = /var/log/samba/log.%m
>   max log size = 1000
>   syslog = 0
>
>   panic action = /usr/share/samba/panic-action %d
>
>   security = ads
>   encrypt passwords = true
>   passdb backend = tdbsam
>   obey pam restrictions = yes
>   invalid users = root
>
>   socket options = TCP_NODELAY
>
>   idmap backend = ad
>   winbind nss info = sfu
>   winbind nested groups = yes
>   winbind use default domain = yes
>
>
> [Student]
>   path = /srv/Student
>   read only = no
>   store dos attributes = yes
>   nt acl support = yes
>   map acl inherit = yes
>   inherit acls = yes
>   acl map full control = yes
>   dos filemode = yes
>
>
> =====nsswitch.conf=====
>
> passwd:         files ldap
> group:          files ldap
> shadow:         files ldap
>
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

>
> Have you tried to add "winbind" at the file nsswitch.conf for the
> fields
> passwd, group and shadow?
>
> So, if you have SFU at your DC, you don't need winbind to authenticate
> users, you can configure the system for a LDAP binding.
> Read the PDFs of this web, the last 2 are very interesting for your
> problem:
> http://www.interopsystems.com/learning.htm
>
> They work with 2003 R2 and Fedora, but it's the same, because R2
> version has
> the SFU integrated.
>
> And by the way, a time ago I tried to make a LDAP binding with an
> Ubuntu
> 7.10, but it didn't work. May be with Hardy it's different.
>
> Luck!
> David Molina
>
>
> On Fri, 2008-07-18 at 11:11 -0700, Steve Rippl wrote:
> > Hi,
> >
> > I'm running 3.0.28a on Ubuntu 8.04 (their package).  I've got
> security =
> > ads and idmap backend = ad (smb.conf is posted below). I'm using
> > libnss-ldap and have ldap in nsswitch.conf (also posted below) and
> ldap
> > connected to the AD server.  I have the drive mounted using acl and
> > xattr_user options in fstab (acl is installed).  I can connect to
> the
> > share, I see in the logs that it's picking up the uid and gid from
> SFU
> > in AD, however, when I go into the explorer security tab (on the
> client)
> > and try to add a user it fails.  I don't get an error message within
> > windows (the user adding another user is the owner of the
> file/folder),
> > the user just disappears from the list as it refreshes!  On the
> server
> > I'm seeing a lot of this in log.winbindd-idmap
> >
> > [2008/07/18 09:32:59, 1]
> > nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294)
> >   ADS uninitialized
> >
> > Now I don't know if this is related, but if I wbinfo -n wsd\\rippls
> I
> > get a long SID number, if I do wbinfo -s [same SID number] I get wsd
> > \rippls.  However, if I do wbinfo -U [uid for same user] I get a
> > different SID from before!
> >
> > I'm trying very hard this summer to make this work so I can retire
> our
> > MS file server, so any help would be appreciated.  I tried this
> > initially in Etch, but I that version wasn't handling the connection
> to
> > AD for nss and winbind very well at all, hence I'm trying in Ubuntu.
> >
> > Thanks!
> >
> >
> > ====smb.conf=====
> >
> > [global]
> >
> >    workgroup = WSD
> >    realm = woodland.wednet.edu
> >    server string = %h server
> >
> >    log file = /var/log/samba/log.%m
> >    max log size = 1000
> >    syslog = 0
> >
> >    panic action = /usr/share/samba/panic-action %d
> >
> >    security = ads
> >    encrypt passwords = true
> >    passdb backend = tdbsam
> >    obey pam restrictions = yes
> >    invalid users = root
> >
> >    socket options = TCP_NODELAY
> >
> >    idmap backend = ad
> >    winbind nss info = sfu
> >    winbind nested groups = yes
> >    winbind use default domain = yes
> >
> >
> > [Student]
> >    path = /srv/Student
> >    read only = no
> >    store dos attributes = yes
> >    nt acl support = yes
> >    map acl inherit = yes
> >    inherit acls = yes
> >    acl map full control = yes
> >    dos filemode = yes
> >
> >
> > =====nsswitch.conf=====
> >
> > passwd:         files ldap
> > group:          files ldap
> > shadow:         files ldap
> >
> > hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> > networks:       files
> >
> > protocols:      db files
> > services:       db files
> > ethers:         db files
> > rpc:            db files
> >
> > netgroup:       nis
> >
>
>

> Thanks David, yes I have tried all these and nothing seems to be
> working!
>
> Here's where I'm at... libnss-ldap is working with my AD server, with
> just 'files ldap' in nsswitch.conf a getent passwd returns local users
> and users from AD, but they seem to be treated as local, ie they are
> 'admin' rather than 'wsd\admin'.  So, on a windows client I go to my
> test share as a domain user, in the log I see that it picks up the
> uid/gid from AD, but in the security tab the user is 'Unix User
> \2009test' NOT 'wsd\2009test'.  If I try to add a user through this tab
> they are wsd\username, and then I get
>
> [2008/07/23 09:30:45, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
>   create_canon_ace_lists: unable to map SID
> S-1-5-21-3668144929-636610183-3299198910-1120 to uid or gid.
>
> in the log file when I hit apply.  I'm also still getting
>
> [2008/07/23 09:30:45, 1]
> nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294)
>   ADS uninitialized
>
> in log.winbindd-idmap.
>
> If I add winbind to the list in nsswitch it makes no difference, if I
> have just 'file winbind' nothing works!  This is all with idmap backend
> = ad, if I set it to tdb winbind does work correctly.
>
> What do I have to do to configure idmap backend = ad correctly????  I've
> now complied 3.0.31 with --with-shared-modules=idmap_ad, I've tried
> winbind nss info = sfu and leaving it out.  Some people said use rfc2307
> even though they claimed to be using SFU not R2, tried that and it
> didn't make any difference (I'm using SFU 3.5).  David's references seem
> to be using ldap to store idmap info rather than getting uid/gid info
> from ad.  
>
> Has someone out there got this working?  The Samba-3 Howto for this says
> to just use 'files ldap' in nsswitch, but to reiterate, if I do that I'm
> not getting connected users recognised as domain user?!!
>
>
>  

>> Have you put POSIX attributes onto the users in the active directory?
>>
>>         idmap backend = ad:ldap://domain.fqdn
>>         winbind nss info = rfc2307
>>
>>
>> Should work. You also need
>>         use kerberos keytab = yes
>>
>> Howard.
>>
>>    
> Yep, I've got posix attributes for users in AD.  I added the keytab (net
> ads keytab create -P) and changed smb.conf to reflect the lines you have
> above (with my actual fqdn for the AD server), and now I get this in
> log.winbindd-idmap
>
> [2008/07/23 15:33:25, 1] nsswitch/idmap.c:idmap_init(377)
>   Initializing idmap domains
> [2008/07/23 15:33:25, 2] lib/module.c:do_smb_load_module(64)
>   Module '/usr/local/samba/lib/idmap/ad.so' loaded
> [2008/07/23 15:33:25, 2] lib/module.c:do_smb_load_module(64)
>   Module '/usr/local/samba/lib/idmap/ad.so' loaded
> [2008/07/23 15:33:25, 2] nsswitch/idmap.c:idmap_init(779)
>   idmap_init: Unable to get methods for alloc backend ad
>  

> [2008/07/23 15:33:25, 2]
> nsswitch/idmap_ad.c:ad_idmap_cached_connection(152)
>   ad_idmap_cached_connection: Failed to obtain schema details!
> [2008/07/23 15:33:25, 1]
> nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(514)
>   ADS uninitialized
> [2008/07/23 15:33:25, 2]
> nsswitch/idmap.c:idmap_backends_sids_to_unixids(1233)
>   ERROR: NTSTATUS = 0xc0000001
>
>
> I can wbinfo -a|n|s, that works, but getent is still not returning the
> user.  I copied libnss_winbind into /lib and ran ldconfig but it seems
> as though getent isn't using it?!
>
> Also, maybe I'm wrong but I though that to query ldap attributes in AD
> you had to bind with a valid user, how is the idmap backend doing that?
>