Quantcast

Problems with Winbind Idmap and Active Directory 2008 r2

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Problems with Winbind Idmap and Active Directory 2008 r2

Matthew Choppen
For our Linux Machines (SLES 10) we are using kerberos and LDAP to
authenticate against Active Directory (works perfectly)

Please note that the same configuration works with Windows 2003 Server, the
problem is with with Windows 2008 Server

However we are experiencing problems with winbind for the file share, I see
in the "log.winbind-idmap" logfile the following errors

[2011/03/03 15:09:08.643286,  1]
winbindd/idmap_ad.c:143(ad_idmap_cached_connection_internal)
  ad_idmap_init: failed to connect to AD
[2011/03/03 15:09:08.643323,  1]
winbindd/idmap_ad.c:326(idmap_ad_unixids_to_sids)
  ADS uninitialized: No logon servers
The user from windows clients experiences extremely poor performance (I
guess timeouts from winbind, and I would also guess that winbind then
assigns some kind of default ID and not the real uid/gid from AD)

The Unix Services for windows is applied and the users have the correct UNIX
settings (else LDAP / kerberos auth would not work)

I have also tried backend = ldap:ldap://OurADServer  which also does not
work!!!


Here is our current configuration:

samba3-3.5.2-43.suse101.x86_64.rpm
samba3-cifsmount-3.5.2-43.suse101.x86_64.rpm
samba3-client-3.5.2-43.suse101.x86_64.rpm
samba3-debuginfo-3.5.2-43.suse101.x86_64.rpm
samba3-doc-3.5.2-43.suse101.x86_64.rpm
samba3-utils-3.5.2-43.suse101.x86_64.rpm
samba3-winbind-32bit-3.5.2-43.suse101.i586.rpm
samba3-winbind-3.5.2-43.suse101.x86_64.rpm
Samba Config

[global]
    workgroup = MYDOMAIN
    password server = OurADServer
    domain master = no
    realm =  MYDOMAIN.COM
    server string = ClearCase Server
    netbios name = OURNAME
    security = ADS
    encrypt passwords = yes
    winbind use default domain = Yes
    winbind nested groups = Yes
    client use spnego = Yes
    winbind enum users = Yes
    winbind enum groups = Yes
    template shell = /bin/bash
    template homedir = /home/%u
    log level = 2
    log file = /var/log/samba/%m
    max log size = 50
    winbind separator = +
    #idmap uid = 40000-50000
    #idmap gid = 40000-50000
    winbind offline logon = true
    winbind cache time = 5
    winbind refresh tickets = true
    map to guest = Bad User
    username map = /etc/samba/users.map
    max open files = 11000
    add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s
/bin/false %m$
    ldap ssl = No
    socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
    idmap backend = ad
    ldap idmap suffix = dc=mydomain,dc=com
    ldap admin dn = CN=bindUserFromAD,OU=Siteroles,OU=HAM,DC=mydomain,dc=com
    ldap suffix = dc=mydomain,dc=com
    usershare allow guests = Yes
    directory security mask = 0775
    kernel oplocks = No
    create mask = 0775
    directory mask = 0775
    map archive = No
    oplocks = No
    level2 oplocks = No
[vobs]
        comment = Vob storage directory
        path = /vobs
        valid users = @"MYDOMAIN+ccusers"
        writeable = Yes
        create mask = 0775
        force directory mode = 0775
[vobstore]
        comment = Vob storage directory
        path = /vobstore
        valid users = @"MYDOMAIN+ccusers"
        writeable = Yes
        create mask = 0775
        force directory mode = 0775
[ccviews]
        comment = View storage directory
        path = /ccviews
        valid users = @"MYDOMAIN+ccusers"
        writeable = Yes
        create mask = 0775
        force directory mode = 0775
Thanks for any assistance :)

Matt
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problems with Winbind Idmap and Active Directory 2008 r2

Michael Adam-3
Hi Matthew,

Matthew Choppen wrote:

> For our Linux Machines (SLES 10) we are using kerberos and LDAP to
> authenticate against Active Directory (works perfectly)
>
> Please note that the same configuration works with Windows 2003 Server, the
> problem is with with Windows 2008 Server
>
> However we are experiencing problems with winbind for the file share, I see
> in the "log.winbind-idmap" logfile the following errors
>
> [2011/03/03 15:09:08.643286,  1]
> winbindd/idmap_ad.c:143(ad_idmap_cached_connection_internal)
>   ad_idmap_init: failed to connect to AD
> [2011/03/03 15:09:08.643323,  1]
> winbindd/idmap_ad.c:326(idmap_ad_unixids_to_sids)
>   ADS uninitialized: No logon servers
> The user from windows clients experiences extremely poor performance (I
> guess timeouts from winbind, and I would also guess that winbind then
> assigns some kind of default ID and not the real uid/gid from AD)
>
> The Unix Services for windows is applied and the users have the correct UNIX
> settings (else LDAP / kerberos auth would not work)
>
> I have also tried backend = ldap:ldap://OurADServer  which also does not
> work!!!
No, this won't work since the ldap idmap backend will search for
completely different attributes than the ad backend.

Before addressing the above connection error (which may even
be related), let's fix the configuration:

You should not configure "ad" as the default
idmap backend in smb.conf. This does not work since
a couple of releases actually.

Instead, you should configure something like this:

    idmap backend = tdb
    idmap uid = 1000000-1999999
    idmap gid = 1000000-1999999

    idmap config MYDOMAIN : backend  = ad
    idmap config MYDOMAIN : range = 1000-999999

Where you should make sure that the reange of the MYDOMAIN
setting covers the complete range of your IDs in AD.
(See "man idmap_ad" for more info.)

Could you change your config in the sense above and re-check?
(After restarting winbindd)

If the problems persist, we can continue to analyze the situation.

Cheers - Michael

> Here is our current configuration:
>
> samba3-3.5.2-43.suse101.x86_64.rpm
> samba3-cifsmount-3.5.2-43.suse101.x86_64.rpm
> samba3-client-3.5.2-43.suse101.x86_64.rpm
> samba3-debuginfo-3.5.2-43.suse101.x86_64.rpm
> samba3-doc-3.5.2-43.suse101.x86_64.rpm
> samba3-utils-3.5.2-43.suse101.x86_64.rpm
> samba3-winbind-32bit-3.5.2-43.suse101.i586.rpm
> samba3-winbind-3.5.2-43.suse101.x86_64.rpm
> Samba Config
>
> [global]
>     workgroup = MYDOMAIN
>     password server = OurADServer
>     domain master = no
>     realm =  MYDOMAIN.COM
>     server string = ClearCase Server
>     netbios name = OURNAME
>     security = ADS
>     encrypt passwords = yes
>     winbind use default domain = Yes
>     winbind nested groups = Yes
>     client use spnego = Yes
>     winbind enum users = Yes
>     winbind enum groups = Yes
>     template shell = /bin/bash
>     template homedir = /home/%u
>     log level = 2
>     log file = /var/log/samba/%m
>     max log size = 50
>     winbind separator = +
>     #idmap uid = 40000-50000
>     #idmap gid = 40000-50000
>     winbind offline logon = true
>     winbind cache time = 5
>     winbind refresh tickets = true
>     map to guest = Bad User
>     username map = /etc/samba/users.map
>     max open files = 11000
>     add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s
> /bin/false %m$
>     ldap ssl = No
>     socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>     idmap backend = ad
>     ldap idmap suffix = dc=mydomain,dc=com
>     ldap admin dn = CN=bindUserFromAD,OU=Siteroles,OU=HAM,DC=mydomain,dc=com
>     ldap suffix = dc=mydomain,dc=com
>     usershare allow guests = Yes
>     directory security mask = 0775
>     kernel oplocks = No
>     create mask = 0775
>     directory mask = 0775
>     map archive = No
>     oplocks = No
>     level2 oplocks = No
> [vobs]
>         comment = Vob storage directory
>         path = /vobs
>         valid users = @"MYDOMAIN+ccusers"
>         writeable = Yes
>         create mask = 0775
>         force directory mode = 0775
> [vobstore]
>         comment = Vob storage directory
>         path = /vobstore
>         valid users = @"MYDOMAIN+ccusers"
>         writeable = Yes
>         create mask = 0775
>         force directory mode = 0775
> [ccviews]
>         comment = View storage directory
>         path = /ccviews
>         valid users = @"MYDOMAIN+ccusers"
>         writeable = Yes
>         create mask = 0775
>         force directory mode = 0775
> Thanks for any assistance :)
>
> Matt
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

attachment0 (214 bytes) Download Attachment
Loading...