I' ve seen a lot of posts with people having problems with wbinfo -i and WBC_ERR_DOMAIN_NOT_FOUND / NT_STATUS_NONE_MAPPED. After reading a couple of posts I found the solution and from my point of view the documentation of idmap_ad requires an update and a more useful error message would be helpful. Most people might think the primary group is controlled with gidNumber of the user object in active directory, but this is not true. The primary group of the user is controlled by the AD primary group. So you have to assign a gidNumber to the selected primary group of the user in AD. Is this behaviour a bug or a feature? For a second I though it works to use something like "idmap config CORP : uid = 2500-999999" to fetch only the UID from AD but it was problem with the cache. Is there a way to only get the uidNumber from AD and don't care about gidNumber. Or could it be a workaround to create a local idmap for "Domain Users", what is the best way to do it? Configuration: # winbindd -V Version 3.6.3-0.30.1-2920-SUSE-CODE11-x86_64 # cat /etc/samba/smb.conf [global] workgroup = CORP realm = CORP.DOMAIN.COM security = ADS local master = no winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind nss info = rfc2307 template shell = /bin/bash idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config CORP : backend = ad idmap config CORP : range = 2500-999999 idmap config CORP : schema_mode = rfc2307 # net ads search '(|(uidNumber=*)(gidNumber=*))' sAMAccountName uidNumber gidNumber -P [...] sAMAccountName: tstgrp2 gidNumber: 70005 sAMAccountName: tstusr2 uidNumber: 50001 => Assigning a gidNumber to tstusr2 does not control the primary group. # wbinfo -n tstusr2 S-1-5-21-3137624152-3039101805-1571016323-134414 SID_USER (1) # wbinfo -S S-1-5-21-3137624152-3039101805-1571016323-134414 50001 # wbinfo -i tstusr2 failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user tstusr2 winbind log: idmap_cache_find_sid2uid found 50001 idmap_cache_find_sid2gid found -1 Could not convert sid S-1-5-21-3137624152-3039101805-1571016323-134414: NT_STATUS_NONE_MAPPED wb_request_done[5254:GETPWNAM]: NT_STATUS_NONE_MAPPED Changed the primary group of the user in AD to a group with a valid gidNumber (tstgrp2). # net cache flush # /etc/init.d/winbind restart # wbinfo -i tstusr2 tstusr2:*:50001:70005:tstusr2:/home/CORP/tstusr2:/bin/bash
I tried to add GID of "Domain Users" to winbindd_idmap.tdb with the intention to use a local group mapping. # echo "GID 1000010 S-1-5-21-nnnnnnnnnnn" | net idmap restore The value is shown in the idmap, but it does not work. Tried it with "idmap config CORP : uid = 2500-999999" and "range = " both did not succeed. You really have to have an eye on the winbind cache during the tests.
Thank you for noting the problem. Here are something I found during spending four sleepless nights with samba 4.1.0 DCs and member server. 1. Effective GID of AD users: It is a must that all users are added through ADUC in way that Unix attributes like UID and GID are added also. I have to repeat that the effective GID of the user follow the user’s primary *AD* group. Merely changing group setting in the tab Unix Attributes will not work! (This should be added to the member server how-to!). 2. GID range suggestion: The default group of AD user is Domain User whose GID should be setup through ADUC. I recommend the GID should be more than 1000 in order not to clash with the system group in unix side. I don't think it is a bug but it should be well noted in samba 4 how-tos.
(In reply to comment #0) > I' ve seen a lot of posts with people having problems with wbinfo -i and > WBC_ERR_DOMAIN_NOT_FOUND / NT_STATUS_NONE_MAPPED. > After reading a couple of posts I found the solution and from my point of view > the documentation of idmap_ad requires an update Well, here is what "man idmap_ad" has to say: The idmap_ad plugin provides a way for Winbind to read id mappings from an AD server that uses RFC2307/SFU schema extensions. This module implements only the "idmap" API, and is READONLY. Mappings must be provided in advance by the administrator by adding the uidNumber attributes for users and gidNumber attributes for groups in the AD. Winbind will only map users that have a uidNumber and whose primary group have a gidNumber attribute set. I thought that was clear... :-) > and a more useful error message would be helpful. Well yeah, there is a genral problem that wbinfo always prints WBC_ERR_DOMAIN_NOT_FOUND when there is an error. This is not special to idmap_ad and could be improved. > Most people might think the primary group is controlled with gidNumber of the > user object in active directory, but this is not true. > The primary group of the user is controlled by the AD primary group. So you > have to assign a gidNumber to the selected primary group of the user in AD. > Is this behaviour a bug or a feature? This is how it should work and has (to my knowledge) always worked. After all, samba models a windows file server, and it is the windows access token that is converted to the unix token with id mappings. We could add a mode to idmap_ad that allows to use the primary gid field from AD for the primary id of the generated unix token, if this is really desired. But quite frankly, I don't understand why people insist on using the user's posix gid number from AD. Simply give a GID to the primary group and you're done. Cheers - Michael
*** This bug has been marked as a duplicate of bug 9880 ***
Hello all, if you get the following messages when running rfc2307 as a domain member: WBC_ERR_DOMAIN_NOT_FOUND Could not get unix ID for SID Then you must have the following things in place: 1. Make sure the "Domain Users" has a GUID defined! I usually define this using the first available. 2. Make the group the default group in the user's NIS section. I had lots of fun pulling my hair out (what's left of it) before I worked that out. ]-[