We do have valid uidNumbers in our Active Directory with rfc2307 schema. Til 3.4.8 winbind works very well and maps uidnumbers as expected. Starting with 3.5.0 the same configuration refuses to work. The symptoms: wbinfo -u works but wbinfo -i 'AD\username' returns Could not get info for user AD\username
Created attachment 5859 [details] Level 10 log of winbindd-idmap
Created attachment 5860 [details] Level 10 log of wb-AD
Created attachment 5861 [details] Level 10 log of winbindd
Hi, thanks for the report! Could you please also attach a copy of your smb.conf (at least global section)? Cheers - Michael
Of Course: #GLOBAL PARAMETERS [global] fileid:mapping = fsname netbios name = lsf-cups workgroup = AD realm = AD.PHYSIK.UNI-MUENCHEN.DE preferred master = no server string = Print Server LS Feldmann security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/log.%m max log size = 10240 load printers = yes printcap name = cups printing = cups winbind nss info = rfc2307 winbind normalize names = yes # http://wiki.samba.org/index.php/Samba_&_Active_Directory#Configuring_Samba passdb backend = tdbsam idmap backend = tdb idmap uid = 500 - 999 idmap gid = 500 - 999 idmap config AD : backend = ad idmap config AD : range = 1000-999999 idmap config AD : schema_mode = rfc2307 ;template primary group = "Domain Users" template shell = /bin/bash template homedir = /export/home/%U username map script = /usr/local/sbin/machine-account-map.pl [printers] comment = All Printers path = /var/spool/samba browseable = no writeable = no printable = yes guest ok = yes [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = ripley writeable = yes guest ok = yes
Hi, Ezra Van Everbroeck <ezra@ucsd.edu> did work out, that the mapping works again when the primary Windows Groups has a gidnumber setup. In our environment we originally did not give "Domain Users" a gidnumber Attribute. But the behavior is now that a User with a primary windows group without a gidnumber attribute will not be mapped anymore. But one thing is hitting me further: With the idmdap_ad plugin the winbind normalize names do not work anymore. until 3.4 a name was mapped to the uid attribute. in 3.5.x this do not work. Behavior until 3.4.x: [root@filer ~]# wbinfo -i 'AD\Guinea.Pig' Guinea.Pig:*:10007:10000::/home/g/Guinea.Pig:/bin/bash [root@filer ~]# Behavior in 3.5.x: [root@filer-lskr samba]# wbinfo -i 'AD\Guinea.Pig' AD\guinea.pig:*:10007:10000:Guinea Pig:/home/g/Guinea.Pig:/bin/bash [root@filer-lskr samba]# This is bad, as this will break definitly our NFS4 idmap Mappings.
okay, so this is a dup. docs are already made more clear. for the *new* issue you report in the last comment, I don't see why "winbind normalize names" should do what "winbind use default domain" does, I don't see the misbehaviour. Anyway, if you still think this is a bug, then please open a new report for it... *** This bug has been marked as a duplicate of bug 9880 ***
(In reply to comment #7) > okay, so this is a dup. docs are already made more clear. > > for the *new* issue you report in the last comment, I don't see why "winbind > normalize names" should do what "winbind use default domain" does, I don't see > the misbehaviour. Anyway, if you still think this is a bug, then please open a > new report for it... > > *** This bug has been marked as a duplicate of bug 9880 *** sorry, but I thing you did misunderstood my problem. We do have user login names with uppercase characters. A down mapping to lower case breaks Kerberors! So why the behavior of "winbind normalize names" was changed to something completly useless? I would expect from normalize names that the name would be returned exactly as in the attribute with upper and lower case. so I would epexct the behavior like it was in 3.4 which returns for "AD\Guinea.Pig" the value "Guinea.Pig" and not something crippled. Sincerly, Klaus
the initial reported problem was your missing gidnumer attributes. Don't hijack bug reports with discussions about other topics and dicsussions about other samba features that are not related. If you think that winbind normalize names does not what it should do (I don't see that yet), then open a new bug about *that* issue, please. *** This bug has been marked as a duplicate of bug 9880 ***