Bug 609222

Summary: Cannot use idmap_adex to obtain uid and gid from AD, but idmap_ad works
Product: Red Hat Enterprise Linux 5 Reporter: Kirby Zhou <kirbyzhou>
Component: samba3xAssignee: Andreas Schneider <asn>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: asn, azelinka, dpal, ssorce
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-11 19:26:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kirby Zhou 2010-06-29 17:18:20 UTC 
Description of problem:

There is a new installed Windows 2008 R2 AD with just 1 DC, and I let a new installed RHEL-5.5 samba3x to join this it.

The AD itself is configured with unix exentension (rfc2307), so I want to get uid and gid from AD at the linux box.


Version-Release number of selected component (if applicable):

samba3x-3.3.8-0.52.el5_5

How reproducible:

100%

Steps to Reproduce:

1. join the dc
]# authconfig --enableshadow --enablemd5 --enablekrb5 --krb5kdc=SOHU-TEST.COM --krb5adminserver=SOHU-TEST.COM --krb5realm=SOHU-TEST.COM --enablekrb5kdcdns --enablekrb5realmdns --enablesmbauth --smbworkgroup=SOHU-TEST --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=SOHU-TEST.COM --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablewinbindoffline --winbindjoin=administrator --enablecache --enablelocauthorize --enablepamaccess --disablesysnetauth --kickstart

2. modify smb.conf and /etc/sysconfig/samba

]# cat /etc/samba/smb.conf
[global]
   log level = idmap:100 winbind:100
   workgroup = SOHU-TEST
   realm = SOHU-TEST.COM
   security = ads
   idmap backend = adex
   idmap uid = 10000-50000
   idmap gid = 10000-50000
   idmap config SOHU-TEST : backend = adex
   idmap config SOHU-TEST : range = 10000-50000
   idmap config SOHU-TEST.COM : backend = adex
   idmap config SOHU-TEST.COM : range = 10000-50000
   winbind separator = +
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
        server string = Samba Server Version %v
        # logs split per machine
        log file = /var/log/samba/log.%m
        # max 50KB per log file, then rotate
        max log size = 50
        passdb backend = tdbsam
        # the login script name depends on the machine name
        # the login script name depends on the unix user used
        # disables profiles support by specifing an empty path
        load printers = yes
        cups options = raw
        #obtain list of printers automatically on SystemV
[homes]
        comment = Home Directories
        browseable = no
        writable = yes
[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes
[public]
        comment = Public Stuff
        path = /srv/samba
        public = no
        writable = yes
        printable = no
        write list = +domain_users

]# cat /etc/sysconfig/samba 
SMBDOPTIONS="-D"
NMBDOPTIONS="-D"
WINBINDOPTIONS="-n"

3. set user yyy's uid=20002 and its gid=10000 on the Windows DC.

4. restart winbind and smb

5. check idmap
]# id yyy
  
Actual results:

id: yyy: No such user

Expected results:

]# id yyy
uid=20002(yyy) gid=10000(domain users) groups=10000(domain users)

Additional info:


]# tail -f -n0 /var/log/samba/*
==> /var/log/samba/log.wb-SOHU-TEST <==
[2010/06/30 01:16:52,  4] winbindd/winbindd_dual.c:fork_domain_child(1439)
  child daemon request 21
[2010/06/30 01:16:52, 10] winbindd/winbindd_dual.c:child_process_request(452)
  child_process_request: request fn LOOKUPNAME
[2010/06/30 01:16:52,  3] winbindd/winbindd_async.c:winbindd_dual_lookupname(442)
  [26857]: lookupname SOHU-TEST+yyy
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:name_to_sid(1652)
  name_to_sid: [Cached] - doing backend query for name for domain SOHU-TEST
[2010/06/30 01:16:52,  3] winbindd/winbindd_rpc.c:msrpc_name_to_sid(295)
  rpc: name_to_sid name=SOHU-TEST\yyy
[2010/06/30 01:16:52,  3] winbindd/winbindd_rpc.c:msrpc_name_to_sid(309)
  name_to_sid [rpc] SOHU-TEST\yyy for domain SOHU-TEST
[2010/06/30 01:16:52, 10] winbindd/winbindd_cm.c:cm_connect_lsa_tcp(2185)
  cm_connect_lsa_tcp
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:fetch_cache_seqnum(404)
  fetch_cache_seqnum: invalid data size key [SEQNUM/SOHU-TEST]
[2010/06/30 01:16:52,  3] winbindd/winbindd_ads.c:sequence_number(1203)
  ads: fetch sequence_number for SOHU-TEST
[2010/06/30 01:16:52, 10] winbindd/winbindd_ads.c:ads_cached_connection(45)
  ads_cached_connection
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:store_cache_seqnum(455)
  store_cache_seqnum: success [SOHU-TEST][29908 @ 1277831812]
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:refresh_sequence_number(536)
  refresh_sequence_number: SOHU-TEST seq number is now 29908
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:wcache_save_name_to_sid(868)
  wcache_save_name_to_sid: SOHU-TEST\YYY -> S-1-5-21-1234771684-1225759174-2677489939-1131 (NT_STATUS_OK)
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:wcache_save_sid_to_name(890)
  wcache_save_sid_to_name: S-1-5-21-1234771684-1225759174-2677489939-1131 -> yyy (NT_STATUS_OK)
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:cache_store_response(2626)
  Storing response for pid 26860, len 3496
[2010/06/30 01:16:52, 11] winbindd/winbindd_dual.c:fork_domain_child(1400)
  select will use timeout of 487686.609393 seconds
[2010/06/30 01:16:52,  4] winbindd/winbindd_dual.c:fork_domain_child(1439)
  child daemon request 57
[2010/06/30 01:16:52, 10] winbindd/winbindd_dual.c:child_process_request(452)
  child_process_request: request fn DUAL_USERINFO
[2010/06/30 01:16:52,  3] winbindd/winbindd_user.c:winbindd_dual_userinfo(166)
  [26857]: lookupsid S-1-5-21-1234771684-1225759174-2677489939-1131
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:query_user(1955)
  query_user: [Cached] - doing backend query for info for domain SOHU-TEST
[2010/06/30 01:16:52,  3] winbindd/winbindd_ads.c:query_user(467)
  ads: query_user
[2010/06/30 01:16:52,  5] winbindd/winbindd_ads.c:query_user(479)
  query_user: Cache lookup succeeded for S-1-5-21-1234771684-1225759174-2677489939-1131
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:nss_get_info_cached(4232)
  nss_get_info returned NT_STATUS_OK
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:nss_get_info_cached(4235)
  result:
        homedir = '/home/%D/%U'
        shell = '/bin/bash'
        gecos = '(null)'
        gid = '4294967295'
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:wcache_save_user_pwinfo(4189)
  wcache_save_user_pwinfo: S-1-5-21-1234771684-1225759174-2677489939-1131
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:refresh_sequence_number(491)
  refresh_sequence_number: SOHU-TEST time ok
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:refresh_sequence_number(536)
  refresh_sequence_number: SOHU-TEST seq number is now 29908
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:wcache_save_user(916)
  wcache_save_user: S-1-5-21-1234771684-1225759174-2677489939-1131 (acct_name YYY)
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:cache_store_response(2626)
  Storing response for pid 26860, len 3496
[2010/06/30 01:16:52, 11] winbindd/winbindd_dual.c:fork_domain_child(1400)
  select will use timeout of 487686.608689 seconds

==> /var/log/samba/log.winbindd <==
[2010/06/30 01:16:52,  6] winbindd/winbindd.c:new_connection(700)
  accepted socket 19
[2010/06/30 01:16:52, 10] winbindd/winbindd.c:process_request(403)
  process_request: request fn INTERFACE_VERSION
[2010/06/30 01:16:52,  3] winbindd/winbindd_misc.c:winbindd_interface_version(754)
  [26891]: request interface version
[2010/06/30 01:16:52, 10] winbindd/winbindd.c:process_request(403)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2010/06/30 01:16:52,  3] winbindd/winbindd_misc.c:winbindd_priv_pipe_dir(787)
  [26891]: request location of privileged pipe
[2010/06/30 01:16:52,  2] winbindd/winbindd.c:remove_client(744)
  final write to client failed: Broken pipe
[2010/06/30 01:16:52,  6] winbindd/winbindd.c:new_connection(700)
  accepted socket 19
[2010/06/30 01:16:52, 10] winbindd/winbindd.c:process_request(403)
  process_request: request fn GETPWNAM
[2010/06/30 01:16:52,  3] winbindd/winbindd_user.c:winbindd_getpwnam(438)
  [26891]: getpwnam yyy
[2010/06/30 01:16:52, 10] winbindd/winbindd_dual.c:async_request(125)
  Sending request to child pid 26860 (domain=SOHU-TEST)
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2666)
  Retrieving response for pid 26860
[2010/06/30 01:16:52, 10] winbindd/winbindd_dual.c:async_request(125)
  Sending request to child pid 26860 (domain=SOHU-TEST)
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2666)
  Retrieving response for pid 26860
[2010/06/30 01:16:52, 10] winbindd/winbindd_idmap.c:winbindd_sid2uid_async(269)
  winbindd_sid2uid_async found domain SOHU-TEST, have_idmap_config = 1
[2010/06/30 01:16:52, 10] winbindd/winbindd_dual.c:async_request(125)
  Sending request to child pid 0 (domain='')
[2010/06/30 01:16:52, 10] winbindd/winbindd_dual.c:fork_domain_child(1244)
  fork_domain_child called without domain.
[2010/06/30 01:16:52, 10] winbindd/winbindd_dual.c:fork_domain_child(1276)
  Child process 26892
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2666)
  Retrieving response for pid 26892
[2010/06/30 01:16:52,  5] winbindd/winbindd_idmap.c:winbindd_sid2uid_recv(246)
  sid2uid returned an error
[2010/06/30 01:16:52,  5] winbindd/winbindd_user.c:getpwsid_sid2uid_recv(339)
  Could not query uid for user SOHU-TEST\yyy
[2010/06/30 01:16:52,  2] winbindd/winbindd.c:remove_client(744)
  final write to client failed: Broken pipe

==> /var/log/samba/log.winbindd-idmap <==
[2010/06/30 01:16:52, 10] winbindd/winbindd_cm.c:set_domain_online_request(479)
  set_domain_online_request: called for domain SOHU-TEST
[2010/06/30 01:16:52, 10] winbindd/winbindd_cm.c:set_domain_online_request(508)
  set_domain_online_request: domain SOHU-TEST was globally offline.
[2010/06/30 01:16:52, 11] winbindd/winbindd_dual.c:fork_domain_child(1400)
  select will use timeout of 4.999946 seconds
[2010/06/30 01:16:52,  4] winbindd/winbindd_dual.c:fork_domain_child(1439)
  child daemon request 49
[2010/06/30 01:16:52, 10] winbindd/winbindd_dual.c:child_process_request(452)
  child_process_request: request fn DUAL_SID2UID
[2010/06/30 01:16:52,  3] winbindd/winbindd_idmap.c:winbindd_dual_sid2uid(293)
  [26857]: sid to uid S-1-5-21-1234771684-1225759174-2677489939-1131
[2010/06/30 01:16:52, 10] winbindd/idmap_util.c:idmap_sid_to_uid(155)
  idmap_sid_to_uid: sid = [S-1-5-21-1234771684-1225759174-2677489939-1131], domain = 'SOHU-TEST'
[2010/06/30 01:16:52, 10] winbindd/idmap.c:idmap_backends_sid_to_unixid(765)
  idmap_backend_sid_to_unixid: domain = 'SOHU-TEST', sid = [S-1-5-21-1234771684-1225759174-2677489939-1131]
[2010/06/30 01:16:52, 10] winbindd/idmap.c:idmap_find_domain(465)
  idmap_find_domain called for domain 'SOHU-TEST'
[2010/06/30 01:16:52, 10] winbindd/idmap.c:idmap_init_default_domain(349)
  idmap_init_default_domain: calling static_init_idmap
[2010/06/30 01:16:52,  5] winbindd/idmap.c:smb_register_idmap_alloc(218)
  Successfully added idmap alloc backend 'ldap'
[2010/06/30 01:16:52,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'ldap'
[2010/06/30 01:16:52, 10] winbindd/idmap_tdb.c:idmap_tdb_init(1243)
  calling idmap_tdb_init
[2010/06/30 01:16:52,  5] winbindd/idmap.c:smb_register_idmap_alloc(218)
  Successfully added idmap alloc backend 'tdb'
[2010/06/30 01:16:52,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'tdb'
[2010/06/30 01:16:52,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'passdb'
[2010/06/30 01:16:52,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'nss'
[2010/06/30 01:16:52,  3] winbindd/idmap.c:idmap_init_default_domain(359)
  idmap_init: using 'adex' as remote backend
[2010/06/30 01:16:52,  3] winbindd/idmap.c:idmap_init_domain(302)
  idmap backend adex not found
[2010/06/30 01:16:52,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'adex'
[2010/06/30 01:16:52,  2] winbindd/idmap_adex/cell_util.c:cell_locate_membership(149)
  locate_cell_membership: Located membership in cell "dc=SOHU-TEST,dc=COM"
[2010/06/30 01:16:52, 11] winbindd/winbindd_cache.c:unpack_tdc_domains(3973)
  unpack_tdc_domains: Unpacking domain BUILTIN () SID S-1-5-32, flags = 0x0, attribs = 0x0, type = 0x0
[2010/06/30 01:16:52, 11] winbindd/winbindd_cache.c:unpack_tdc_domains(3973)
  unpack_tdc_domains: Unpacking domain ZW_97_205 () SID S-1-5-21-1853034284-792215205-1820511568, flags = 0x0, attribs = 0x0, type = 0x0
[2010/06/30 01:16:52, 11] winbindd/winbindd_cache.c:unpack_tdc_domains(3973)
  unpack_tdc_domains: Unpacking domain SOHU-TEST (SOHU-TEST.COM) SID S-1-5-21-1234771684-1225759174-2677489939, flags = 0x1d, attribs = 0x0, type = 0x2
[2010/06/30 01:16:52, 10] winbindd/idmap_adex/gc_util.c:gc_add_forest(262)
  gc_add_forest: Added SOHU-TEST.COM to Global Catalog list of servers
[2010/06/30 01:16:52, 10] winbindd/idmap_adex/gc_util.c:gc_add_forest(176)
  gc_add_forest: SOHU-TEST.COM already in list
[2010/06/30 01:16:52, 10] winbindd/idmap_adex/domain_util.c:dc_add_domain(56)
  dc_add_domain: Attempting to add domain SOHU-TEST.COM
[2010/06/30 01:16:52,  5] winbindd/idmap_adex/domain_util.c:dc_add_domain(82)
  dc_add_domain: Successfully added SOHU-TEST.COM
[2010/06/30 01:16:52, 11] winbindd/winbindd_cache.c:unpack_tdc_domains(3973)
  unpack_tdc_domains: Unpacking domain BUILTIN () SID S-1-5-32, flags = 0x0, attribs = 0x0, type = 0x0
[2010/06/30 01:16:52, 11] winbindd/winbindd_cache.c:unpack_tdc_domains(3973)
  unpack_tdc_domains: Unpacking domain ZW_97_205 () SID S-1-5-21-1853034284-792215205-1820511568, flags = 0x0, attribs = 0x0, type = 0x0
[2010/06/30 01:16:52, 11] winbindd/winbindd_cache.c:unpack_tdc_domains(3973)
  unpack_tdc_domains: Unpacking domain SOHU-TEST (SOHU-TEST.COM) SID S-1-5-21-1234771684-1225759174-2677489939, flags = 0x1d, attribs = 0x0, type = 0x2
[2010/06/30 01:16:52, 10] winbindd/idmap_adex/domain_util.c:dc_add_domain(56)
  dc_add_domain: Attempting to add domain SOHU-TEST.COM
[2010/06/30 01:16:52, 10] winbindd/idmap_adex/domain_util.c:dc_add_domain(68)
  dc_add_domain: SOHU-TEST.COM already in list
[2010/06/30 01:16:52, 10] winbindd/idmap_adex/likewise_cell.c:cell_do_search(382)
  cell_do_search: Base = ,  Filter = (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\E4\1E\99\49\C6\99\0F\49\13\41\97\9F\6B\04\00\00), Scope = 2, GC = yes
[2010/06/30 01:16:52, 10] winbindd/idmap_adex/likewise_cell.c:cell_connect_dn(339)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2010/06/30 01:16:52,  1] winbindd/idmap_adex/likewise_cell.c:cell_connect_dn(346)
  LWI: Failled to connect to cell "dc=SOHU-TEST,dc=COM" (NT_STATUS_NO_LOGON_SERVERS)
[2010/06/30 01:16:52, 10] winbindd/idmap_adex/domain_util.c:dc_search_domains(243)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2010/06/30 01:16:52, 10] winbindd/idmap_adex/provider_unified.c:search_domain(254)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2010/06/30 01:16:52,  4] winbindd/idmap_adex/provider_unified.c:search_domain(270)
  LWI (search_domain): NT_STATUS_NO_LOGON_SERVERS
[2010/06/30 01:16:52, 10] winbindd/idmap_adex/provider_unified.c:search_forest(523)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2010/06/30 01:16:52,  4] winbindd/idmap_adex/provider_unified.c:search_forest(531)
  LWI (search_forest): NT_STATUS_NO_LOGON_SERVERS
[2010/06/30 01:16:52,  3] winbindd/idmap_adex/provider_unified.c:search_cell_list(599)
  LWI (search_cell_list): NT_STATUS_NO_LOGON_SERVERS
[2010/06/30 01:16:52, 10] winbindd/idmap_adex/provider_unified.c:_ccp_get_id_from_sid(1003)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2010/06/30 01:16:52, 10] winbindd/winbindd_idmap.c:winbindd_dual_sid2uid(306)
  winbindd_dual_sid2uid: 0xc0000073 - S-1-5-21-1234771684-1225759174-2677489939-1131 - 0
[2010/06/30 01:16:52, 10] winbindd/winbindd_cache.c:cache_store_response(2626)
  Storing response for pid 26892, len 3496
[2010/06/30 01:16:52, 11] winbindd/winbindd_dual.c:fork_domain_child(1400)
  select will use timeout of 4.969277 seconds
[2010/06/30 01:16:57, 11] winbindd/winbindd_dual.c:fork_domain_child(1413)
  nothing is ready yet, continue
[2010/06/30 01:16:57, 10] winbindd/winbindd_cm.c:check_domain_online_handler(279)
  check_domain_online_handler: called for domain SOHU-TEST (online = True)
[2010/06/30 01:16:57,  5] winbindd/winbindd_cm.c:msg_try_to_go_online(136)
  msg_try_to_go_online: received for domain SOHU-TEST.
[2010/06/30 01:16:57,  5] winbindd/winbindd_cm.c:msg_try_to_go_online(148)
  msg_try_to_go_online: domain SOHU-TEST already online.




If I replace 'adex' with 'ad' in idmap options of smb.conf, it works:

]# id yyy
uid=20002(yyy) gid=10000(domain users) groups=10000(domain users)
Comment 1 Simo Sorce 2010-07-02 17:22:09 UTC 
Is there a feature of idmap_adex you depend on that is not provided by idmap_ad ?
Comment 2 Kirby Zhou 2010-07-06 08:24:18 UTC 
for domain trustes / two-way cross forest trusts.
Comment 3 Kirby Zhou 2010-07-06 08:26:26 UTC 
Additionaly, by ad and adex's example, it seems that:

If I create a domain within a forest, I must modify the smb.conf in each of my samba conf to reflect the changes with idmap_ad, but idmap_adex do not need it.
Comment 4 Guenther Deschner 2010-07-06 15:39:41 UTC 
Do you have DNS properly configured, so that samba can identify the global catalog via DNS SRV lookups ?
Comment 5 Kirby Zhou 2010-07-07 02:37:46 UTC 
I set my DNS to the PDC of my domain.
Comment 6 Kirby Zhou 2010-07-07 16:28:15 UTC 
Additionaly, A idmap_ad backend system sometimes allocate uid/gid by itself, for example:

I have assigned gid 10001 to 'BUILTIN\Administrator', gid 10000 to 'Domain Users' and assigned no gid to 'BUILTIN\Guests'. But:

~]# wbinfo --group-info 'Domain Users'  
domain_users:*:10000

~]# wbinfo --group-info 'BUILTIN\Administrators'
BUILTIN\administrators:*:10000

~]# wbinfo --group-info 'BUILTIN\Guests'
BUILTIN\guests:*:10006

You can see, domain_users was conflict with BUILTIN\administrators, and BUILTIN\Guests got its invalid gid.


My conf:
=====
[global]
   workgroup = SOHU-RD
   template shell = /bin/bash
   security = ads
   realm = SOHU-RD.COM
   password server = RD-DC10.SOHU-RD.COM RD-DC01.SOHU-RD.COM RD-DC02.SOHU-RD.COM
   winbind offline logon = true

   netbios name = RD-HOME
   log file = /var/log/samba/log.%m
   max log size = 50
   idmap uid = 10000 - 40000
   idmap gid = 10000 - 40000
   idmap backend = ad
   idmap config BUILTIN: backend      = ad
   idmap config BUILTIN: range        = 10000 - 40000
   idmap config BUILTIN: schema_mode  = rfc2307
   idmap config SOHU-RD: backend      = ad
   idmap config SOHU-RD: range        = 10000 - 40000
   idmap config SOHU-RD: schema_mode  = rfc2307
   winbind normalize names = yes
   winbind nss info = template
   winbind use default domain = yes
   wins server = 10.1.160.225
   cups options = raw
====
Comment 11 Andreas Schneider 2012-03-22 15:42:25 UTC 
idmap_adex shouldn't be used anymore. You should use the idmap_ad module, define the right 'schema_mode' and set 'winbind nss info'.

You shouldn't use ad for BUILTIN these are local accounts and can't be in AD. The next thing is that id ranges for the backends shouldn't overlap. idmap_ad isn't able to allocate a uid or gid. There is no allocater code in the module.

The config for AD with Unix Extensions should look like this:

idmap backend = tdb
idmap uid = 1000000-1999999
udmap gid = 1000000-1999999

idmap config SOHU-RD: backend  = ad
idmap config SOHU-RD: range = 10000-999999
idmap config SOHU-RD: schema_mode  = rfc2307

winbind nss info = rfc2307


Ranges should never overlap especially if you use idmap_ad.
Comment 12 RHEL Program Management 2012-05-02 11:07:36 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 14 Dmitri Pal 2012-05-11 19:26:02 UTC 
Closing wontfix based on the comment 11.