samba-users July 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: [Samba] getent doesn't list my users when using idm

[Samba] getent doesn't list my users when using idmap_adex

From: Nico De Ranter <nico_at_nospam>
Date: Wed Jul 28 2010 - 16:14:32 GMT
To: samba@lists.samba.org

Hi,

I'm trying to integrate an existing linux environment with a Windows AD
environment. All my users are already in AD with valid rfc2307
attributes defined so I need a way to authenticate my users using
username, uid, gid, shell and homedirectory from AD. I've been using
Kerberos+LDAPs before but that requires a dummy AD user hardcoded with
username and password in /etc/ldap.conf which is making me icky.

According to the man pages it looks like idmap_adex should do the trick
for me, however I can't get things to work. (see config files below)

Running 'wbinfo -u' does give me a the list of valid users, however
'getent passwd' waits a second after displaying the local users and then
just gives me back the command-line prompt.

In /var/log/samba/log.winbindd-idmap I see:

==================
...
[2010/07/28 18:10:01, 0] winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module tdb already registered!
[2010/07/28 18:10:01, 0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2010/07/28 18:10:01, 0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!
[2010/07/28 18:10:01, 1] winbindd/idmap.c:580(idmap_alloc_init)
  could not find idmap alloc module adex
[2010/07/28 18:10:01, 1] winbindd/idmap_adex/likewise_cell.c:346(cell_connect_dn)
  LWI: Failled to connect to cell "dc=MY,dc=DOMAIN,dc=COM" (NT_STATUS_NO_LOGON_SERVERS)
==================

Note that the adex module is available on the filesystem:

==================
root@ubuntu:/var/log/samba# locate *adex*
/usr/lib/samba/idmap/adex.so
/usr/share/man/man8/idmap_adex.8.gz
==================

What am I doing wrong?

Thanks in advance,

Nico

==================

Environment:
server: Windows 2008R2
client: Ubuntu 10.04 64-bit running samba 3.4.7 (I can't find any 3.5
packages for Ubuntu unfortunately)

#### /etc/samba/smb.conf
[global]

        domain master = no
        local master = no
        prefered master = no
        server signing = mandatory
        wide links = yes
        unix extensions = no
        server string = Samba Server ubuntu
        realm = MY.DOMAIN.COM
        workgroup = MY
        security = ADS
        password server = my ad servers
        encrypt passwords = yes
        guest account = nobody
        log file = /var/log/samba/samba.log
        username map = /etc/samba/user.map
        socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        wins support = yes
        disable netbios = Yes
        dns proxy = yes
        obey pam restrictions = yes
        pam password change = yes
        winbind separator = /
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        idmap backend = adex
        idmap uid = 1000-999999
        idmap gid = 999-999999
        winbind normalize names = yes
        winbind nss info = adex
         allow trusted domains = Yes
        default service = homes
        preload = global homes
        valid users = @"MY/Domain Users"
        admin users = "MY/administrator"

#### /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat winbind

#### /etc/pam.d/common-account
account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so minimum_uid=1000

#### /etc/pam.d/common-auth

auth [success=4 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=3 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=2 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

-- With kind regards Nico De Ranter Senior System Administrator Techsoft Centre Technology and Software Centre Europe The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium Phone: +32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail: nico.deranter@eu.sony.com A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 - RPR Brussels Fortis - BIC GEBABEBB - IBAN BE41293037680010 ************************************************************************ The information contained in this message or any of its attachments may be confidential and is intended for the exclusive use of the addressee(s). Any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited without the express permission of the sender. The views expressed in this email are those of the individual and not necessarily those of Sony or Sony affiliated companies. Sony email is for business use only. This email and any response may be monitored by Sony to be in compliance with Sony's global policies and standards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba