Winbind in combination with the idmap_ad backend of Samba does not resolve the Active Directory users and groups on a Solaris system.

(Doc ID 1524581.1)

Last updated on OCTOBER 12, 2016

Applies to:

Solaris Operating System - Version 10 3/05 and later
Information in this document applies to any platform.

Symptoms

Using winbind in combination with the idmap_ad backend of Samba, it is not possible to resolve the Active Directory users on a Solaris system using the getent(1M) or id(1M) commands.

example:

On a Samba server configured as a members server in a Active Directory domain with name 'CORP':

bash-3.2# getent passwd CORP+bob
bash-3.2#
bash-3.2# id -a CORP+bob
id: invalid user name: "CORP+bob"
bash-3.2#

 

 

Changes

 The following configuration steps have been taken:

...
passwd:     files winbind
group:      files winbind
...

...

winbind separator = +
winbind enum users = no
winbind enum groups = no
# mapping outside the CORP domain (normaly unused)
idmap config *: backend = tdb
idmap config *: range = 100000-1999999
# for mapping of AD rfc2307 schema posix values inside the CORP domain
idmap config CORP: backend = ad
idmap config CORP: range = 1000-99999
idmap config CORP: schema_mode = rfc2307

...

The actual uid and guid ranges may be different for you. Please correct them if necessary.

The entry for schema_mode should be "rfc2307" if you are using the RFC2307 schema support included
in Windows 2003R2 or higher or "sfu" if you installed Services For Unix (SFU) on Windows.

bash-3.2# wbinfo -u | grep bob
CORP+bob
bash-3.2#

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms