# Samba and Active Directory -- getent passwd not working

## jhboricua

I've followed the gentoo-wiki article on adding a SAMBA server to ADS to the letter.  I was able to add the server to the domain just fine.  The command wbinfo -u and wbinfo -g DO output the ADS users and groups.  However, whenever I try to do 'getent passwd' or 'getent group', it is only showing the local users/groups.  Even more, I can hear a lot of disk activity when doing these 2 commands.  So I tailed the log file and it is getting filed with the same entries over and over.

When I do 'getent passwd' the log files get hammered with these entries:

```
Aug  3 10:45:48 megatron winbindd[12972]: [2005/08/03 10:45:48, 0] sam/idmap_tdb.c:db_allocate_id(106)

Aug  3 10:45:49 megatron winbindd[12972]:   idmap Fatal Error: UID range full!! (max: 110000)

Aug  3 10:45:49 megatron winbindd[12972]: [2005/08/03 10:45:49, 0] sam/idmap_tdb.c:db_allocate_id(106)

Aug  3 10:45:49 megatron winbindd[12972]:   idmap Fatal Error: UID range full!! (max: 110000)

Aug  3 10:45:49 megatron winbindd[12972]: [2005/08/03 10:45:49, 0] sam/idmap_tdb.c:db_allocate_id(106)

Aug  3 10:45:49 megatron winbindd[12972]:   idmap Fatal Error: UID range full!! (max: 110000)

Aug  3 10:45:49 megatron winbindd[12972]: [2005/08/03 10:45:49, 0] sam/idmap_tdb.c:db_allocate_id(106)

Aug  3 10:45:49 megatron winbindd[12972]:   idmap Fatal Error: UID range full!! (max: 110000)

Aug  3 10:45:49 megatron winbindd[12972]: [2005/08/03 10:45:49, 0] sam/idmap_tdb.c:db_allocate_id(106)

Aug  3 10:45:49 megatron winbindd[12972]:   idmap Fatal Error: UID range full!! (max: 110000)
```

When I do 'getent group', the log files get hammered with these entries:

```
Aug  3 10:50:16 megatron winbindd[12972]: [2005/08/03 10:50:16, 0] sam/idmap_tdb.c:db_allocate_id(136)

Aug  3 10:50:16 megatron winbindd[12972]:   idmap Fatal Error: GID range full!! (max: 110000)

Aug  3 10:50:16 megatron winbindd[12972]: [2005/08/03 10:50:16, 0] sam/idmap_tdb.c:db_allocate_id(136)

Aug  3 10:50:16 megatron winbindd[12972]:   idmap Fatal Error: GID range full!! (max: 110000)

Aug  3 10:50:16 megatron winbindd[12972]: [2005/08/03 10:50:16, 0] sam/idmap_tdb.c:db_allocate_id(136)

Aug  3 10:50:16 megatron winbindd[12972]:   idmap Fatal Error: GID range full!! (max: 110000)
```

As you can see, I've increased both the UID and GID values from the default shown on the example smb.conf file on the wiki page from 10000 - 20000 to 10000 - 110000.  However I still get the same problem.  Increasing it more (I increased it to 1000000) doesn't do any good.

Any ideas?  I can authenticate my ADS username just fine using kinit.  Yet I can getent to work and I'm not able to access my shares.

----------

## nobspangle

have you edited your nsswitch file?

how many users (including computers) do you have in your active directory? I would try and stick to the defaults for the idmap.

samba caches the maps in a tdb file somewhere try deleting that file and restart samba/winbind

----------

## jhboricua

Here's how my config looks:

My smb.conf file:

```

# Separate domain and username with '+', like DOMAIN+username

[global] 

        netbios name = MEGATRON 

        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

        idmap uid = 10000-110000

        idmap gid = 10000-110000

        winbind enum users = yes

        winbind gid = 10000-110000

        workgroup = DCMS1

        os level = 20

        winbind enum groups = yes

        socket address = 10.102.2.64 

        password server = 10.100.1.10

        preferred master = no

        winbind separator = + 

        max log size = 50

        log file = /var/log/samba/log.%m

        encrypt passwords = yes

        dns proxy = no

        realm = BLAHBLAH.COM

        security = ADS

        wins server = 172.22.30.11

        wins proxy = no

 

# Shares section 

[media]

        comment = Media Repository

        writeable = yes

        path = /home/media

        valid users = BLAHBLAH+myuser

create mode = 644

```

My /etc/krb5.conf file:

```

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

 default_realm = BLAHBLAH.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 ticket_lifetime = 24h

 forwardable = yes

 

[realms]

 BLAHBLAH.COM = {

  kdc = dcms1.blahblah.com

 }

 

[domain_realm]

 .blahblah.com = BLAHBLAH.COM

 BLAHBLAH.com = BLAHBLAH.COM

 

[kdc]

 profile = /var/kerberos/krb5kdc/kdc.conf

 

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

 }

```

and my /etc/nsswitch.conf file:

```

#

# /etc/nsswitch.conf

#

# An example Name Service Switch config file. This file should be

# sorted with the most-used services at the beginning.

#

# The entry '[NOTFOUND=return]' means that the search for an

# entry should stop if the search in the previous entry turned

# up nothing. Note that if the search failed due to some other reason

# (like no NIS server responding) then the search continues with the

# next entry.

#

# Legal entries are:

#

#nisplus or nis+Use NIS+ (NIS version 3)

#nis or ypUse NIS (NIS version 2), also called YP

#dnsUse DNS (Domain Name Service)

#filesUse the local files

#dbUse the local database (.db) files

#compatUse NIS on compat mode

#hesiodUse Hesiod for user lookups

#[NOTFOUND=return]Stop searching if not found so far

#

 

# To use db, put the "db" in front of "files" for entries you want to be

# looked up first in the databases

#

# Example:

#passwd:    db files nisplus nis

#shadow:    db files nisplus nis

#group:     db files nisplus nis

 

passwd:     compat winbind

shadow:     compat

group:      compat winbind

 

#hosts:     db files nisplus nis dns

hosts:      files dns wins

 

# Example - obey only what nisplus tells us...

#services:   nisplus [NOTFOUND=return] files

#networks:   nisplus [NOTFOUND=return] files

#protocols:  nisplus [NOTFOUND=return] files

#rpc:        nisplus [NOTFOUND=return] files

#ethers:     nisplus [NOTFOUND=return] files

#netmasks:   nisplus [NOTFOUND=return] files     

 

bootparams: nisplus [NOTFOUND=return] files

 

ethers:     db files

netmasks:   files

networks:   files dns

protocols:  db files

rpc:        db files

services:   db files

 

netgroup:   files winbind

 

publickey:  nisplus

 

automount:  files winbind

aliases:    files nisplus

```

I'm still not able to make this work.

----------

