I' ve seen a lot of posts with people having problems with wbinfo -i and WBC_ERR_DOMAIN_NOT_FOUND / NT_STATUS_NONE_MAPPED.
After reading a couple of posts I found the solution and from my point of view the documentation of idmap_ad requires an update and a more useful error message would be helpful.
Most people might think the primary group is controlled with gidNumber of the user object in active directory, but this is not true.
The primary group of the user is controlled by the AD primary group. So you have to assign a gidNumber to the selected primary group of the user in AD.
Is this behaviour a bug or a feature?
For a second I though it works to use something like "idmap config CORP : uid = 2500-999999" to fetch only the UID from AD but it was problem with the cache.
Is there a way to only get the uidNumber from AD and don't care about gidNumber.
Or could it be a workaround to create a local idmap for "Domain Users", what is the best way to do it?
# winbindd -V
# cat /etc/samba/smb.conf
workgroup = CORP
realm = CORP.DOMAIN.COM
security = ADS
local master = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind nss info = rfc2307
template shell = /bin/bash
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config CORP : backend = ad
idmap config CORP : range = 2500-999999
idmap config CORP : schema_mode = rfc2307
# net ads search '(|(uidNumber=*)(gidNumber=*))' sAMAccountName uidNumber gidNumber -P
=> Assigning a gidNumber to tstusr2 does not control the primary group.
# wbinfo -n tstusr2
S-1-5-21-3137624152-3039101805-1571016323-134414 SID_USER (1)
# wbinfo -S S-1-5-21-3137624152-3039101805-1571016323-134414
# wbinfo -i tstusr2
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user tstusr2
idmap_cache_find_sid2uid found 50001
idmap_cache_find_sid2gid found -1
Could not convert sid S-1-5-21-3137624152-3039101805-1571016323-134414: NT_STATUS_NONE_MAPPED
Changed the primary group of the user in AD to a group with a valid gidNumber (tstgrp2).
# net cache flush
# /etc/init.d/winbind restart
# wbinfo -i tstusr2
I tried to add GID of "Domain Users" to winbindd_idmap.tdb with the intention to use a local group mapping.
# echo "GID 1000010 S-1-5-21-nnnnnnnnnnn" | net idmap restore
The value is shown in the idmap, but it does not work.
Tried it with "idmap config CORP : uid = 2500-999999" and "range = " both did not succeed. You really have to have an eye on the winbind cache during the tests.
Thank you for noting the problem.
Here are something I found during spending four sleepless nights with samba 4.1.0 DCs and member server.
1. Effective GID of AD users: It is a must that all users are added through ADUC in way that Unix attributes like UID and GID are added also. I have to repeat that the effective GID of the user follow the user’s primary *AD* group. Merely changing group setting in the tab Unix Attributes will not work! (This should be added to the member server how-to!).
2. GID range suggestion: The default group of AD user is Domain User whose GID should be setup through ADUC. I recommend the GID should be more than 1000 in order not to clash with the system group in unix side.
I don't think it is a bug but it should be well noted in samba 4 how-tos.
(In reply to comment #0)
> I' ve seen a lot of posts with people having problems with wbinfo -i and
> WBC_ERR_DOMAIN_NOT_FOUND / NT_STATUS_NONE_MAPPED.
> After reading a couple of posts I found the solution and from my point of view
> the documentation of idmap_ad requires an update
Well, here is what "man idmap_ad" has to say:
The idmap_ad plugin provides a way for Winbind to read id mappings from
an AD server that uses RFC2307/SFU schema extensions. This module
implements only the "idmap" API, and is READONLY. Mappings must be
provided in advance by the administrator by adding the uidNumber
attributes for users and gidNumber attributes for groups in the AD.
Winbind will only map users that have a uidNumber and whose primary
group have a gidNumber attribute set.
I thought that was clear... :-)
> and a more useful error message would be helpful.
Well yeah, there is a genral problem that wbinfo always
prints WBC_ERR_DOMAIN_NOT_FOUND when there is an error.
This is not special to idmap_ad and could be improved.
> Most people might think the primary group is controlled with gidNumber of the
> user object in active directory, but this is not true.
> The primary group of the user is controlled by the AD primary group. So you
> have to assign a gidNumber to the selected primary group of the user in AD.
> Is this behaviour a bug or a feature?
This is how it should work and has (to my knowledge)
always worked. After all, samba models a windows
file server, and it is the windows access token
that is converted to the unix token with id mappings.
We could add a mode to idmap_ad that allows to use the
primary gid field from AD for the primary id of the
generated unix token, if this is really desired.
But quite frankly, I don't understand why people
insist on using the user's posix gid number from
AD. Simply give a GID to the primary group and
Cheers - Michael
*** This bug has been marked as a duplicate of bug 9880 ***
Hello all, if you get the following messages when running rfc2307 as a domain member:
Could not get unix ID for SID
Then you must have the following things in place:
1. Make sure the "Domain Users" has a GUID defined! I usually define this using the first available.
2. Make the group the default group in the user's NIS section.
I had lots of fun pulling my hair out (what's left of it) before I worked that out.