From 5dd0ffac98c6000c24a0bf44ffc73c6317fff9bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <bj@sernet.de>
Date: Tue, 14 May 2013 16:51:28 +0200
Subject: [PATCH 1/2] winbind/idmap_ad: be verbose about the user that we fail
 to map

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f08205be7003f6c0a15fd5fd99d01951164ad15c)

Reviewed-by: David Disseldorp <ddiss@samba.org>
---
 source3/winbindd/idmap_ad.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index cf15f03..2b35a4f 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -457,7 +457,7 @@ again:
 				                 ctx->ad_schema->posix_gidnumber_attr,
 				     &id)) 
 		{
-			DEBUG(1, ("Could not get unix ID\n"));
+			DEBUG(1, ("Could not get SID for unix ID %u\n", (unsigned) id));
 			continue;
 		}
 
@@ -654,7 +654,8 @@ again:
 				                 ctx->ad_schema->posix_gidnumber_attr,
 				     &id)) 
 		{
-			DEBUG(1, ("Could not get unix ID\n"));
+			DEBUG(1, ("Could not get unix ID for SID %s\n",
+				sid_string_dbg(map->sid)));
 			continue;
 		}
 		if (!idmap_unix_id_is_in_range(id, dom)) {
-- 
1.8.1.4


From de73a6138b233eec3e666809fb45ddb66f5f31a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <bj@sernet.de>
Date: Wed, 15 May 2013 15:52:25 +0200
Subject: [PATCH 2/2] docs: mention AD prerequirements for using idmap_ad

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit c3057f69a274f0d8e0e66183bd5e8be7703b6750)

Reviewed-by: David Disseldorp <ddiss@samba.org>
---
 docs-xml/manpages-3/idmap_ad.8.xml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/docs-xml/manpages-3/idmap_ad.8.xml b/docs-xml/manpages-3/idmap_ad.8.xml
index fbadaf2..2f7c0f1 100644
--- a/docs-xml/manpages-3/idmap_ad.8.xml
+++ b/docs-xml/manpages-3/idmap_ad.8.xml
@@ -22,9 +22,12 @@
 	id mappings from an AD server that uses RFC2307/SFU schema
 	extensions. This module implements only the &quot;idmap&quot;
 	API, and is READONLY. Mappings must be provided in advance
-	by the administrator by adding the posixAccount/posixGroup
-	classes and relative attribute/value pairs to the user and
-	group objects in the AD.</para>
+	by the administrator by adding the uidNumber attributes for
+	users and gidNumber attributes for groups in the AD. Winbind
+	will only map users that have a uidNumber and whose primary
+	group have a gidNumber attribute set. It is however
+	recommended that all groups in use have gidNumber attributes
+	assigned, otherwise they are not working.</para>
 
 	<para>
 	Note that the idmap_ad module has changed considerably since
-- 
1.8.1.4