First off I wasn't sure who to report this bug to - it might be the freebsd dev teams responsibility.. wbinfo -u shows AD users, however pw user show -a only shows local users (same with group lists) /var/log/messages is filled with May 16 14:35:19 fileserver winbindd[15426]: [2008/05/16 14:35:19, 0] nsswitch/idmap.c:idmap_alloc_init(750) May 16 14:35:19 fileserver winbindd[15426]: ERROR: Initialization failed for alloc backend, deferred! ]# cat /etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ # group: files winbind group_compat: nis hosts: files dns networks: files passwd: files winbind passwd_compat: nis shells: files # cat /usr/local/etc/smb.conf [global] workgroup = COTN realm = INTERNATIONALOFFICE.COTNI.ORG security = ADS password server = cotn-fs.internationaloffice.cotni.org encrypt passwords = yes use kerberos keytab = Yes allow trusted domains = No idmap backend = ldap idmap uid = 1000-100000 idmap gid = 1000-100000 log level = 100 syslog only = Yes winbind cache time = 3600 winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes winbind nss info = sfu winbind offline logon = Yes winbind refresh tickets = True winbind use default domain = Yes changing security = ldap to security = ad results in... May 16 14:41:58 fileserver winbindd[91046]: ERROR: Could not get methods for backend ad May 16 14:41:58 fileserver winbindd[91046]: [2008/05/16 14:41:58, 0] nsswitch/idmap.c:idmap_init(728) May 16 14:41:58 fileserver winbindd[91046]: Aborting IDMAP Initialization ... I found (via google) the same issue on a number of systems but for older versions of samba - no idea if the issue persists, or if it's fixed in 3.0.28a (waiting on port update if so)
Sorry, forgot to change the OS
I changed "idmap backend" to "idmap backend = tdb" and it seems to be working with samba-3.0.28a. "ad" still returns the same errors, so i'll leave this bug open if someone else wants to pick it up.
sorry for not coming to this earlier. I think this is not an isue any more. In any case, don't use the deprecated parameters "winbind use default domain" and "winbind enum users/groups". Also "password server" should be automatically got via DNS and not set manually. If you still see the problem with a cleared config with 3.6 or 4.0 please reopen this bug! Thanks.