Active directory integration not working properly with winbind and samba

I'm trying to get my linux box to use active directory authentication. I believe I have almost everything setup correctly. I'm able to issue wbinfo -g and wbinfo -u and see all the groups and users respectively.

Brief intro to my setup:

The username I use on my linux box to do admin things is nick. My active directory username is nwalke. They have two different passwords. I am able to log in to the box with nick and that user's password and I'm also able to login as nwalke with nwalke's password.

The curious bit:

Upon creating the active directory user's home directory, I run a script that requires root access. This is to setup some system wide things like a samba share for them. When I log in as nwalke, I enter my nwalke password and it succeeds. I'm then greeted with [sudo] password for nick:. If I enter my nwalke password here, it says Sorry, try again.. If I enter nick's password, it says Sorry, user nick is not allowed to execute scriptname as root.

If I do groups as nwalke, I see that magically my user has been given the group nick.

Now, I accidentally thought that nick had a UID of 100, not 1000. So originally in my smb.conf I had idmap uid 1000-10000. The only thing I can think of, is that I logged in with nwalke while that was still set and now I'm just being presented with a UID of 1000 forcing linux to think I'm nick.

I'm not really sure where to go from here. Like I said, I'm fairly certain active directory is communicating with my server properly, but something must not be mapped right on the linux side.

Any thoughts?

Here is my smb.conf:

[global]
    security = ads
    netbios name = hostname
    realm = COMPANY.COM
    password server = adshost.company.com
    workgroup = COMPANY
    idmap uid = 10000-90000
    idmap gid = 10000-90000
    winbind separator = +
    winbind enum users = no
    winbind enum groups = no
    winbind use default domain = yes
    template homedir = /home/%D/%U
    template shell = /bin/bash
    client use spnego = yes
    domain master = no
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

Do I need to bind to a user on the linux box somehow?


It sounds like you have a UID overlap.
If nwalke and nick share the same numeric UID the first nsswitch match will win for things like id, sudo, ls, etc. (and the first match is usually out of the passwd file unless you've changed the order in /etc/nsswitch.conf or equivalent).

(logins will work with either name, because login looks up the user by name. Having two users with the same name will cause some interesting chaos though...)

Your local (/etc/passwd, /etc/group) and remote (NIS, Samba, LDAP, whatever) UIDs/GIDs should not overlap. Fix that core problem and the rest will resolve itself.


I have changed the value in my smb.conf to 10,000 and it still feels like nwalke is getting paired with 1000. How do I resolve that?

I can't recall which file it is, and I don't currently have a system to check.

When a user first connects an ID will be assigned, and then it will be stored in one of the Samba databases in /var/lib/samba/ Take a look in that folder, it might be obvious which file it is. You could possibly try stopping Samba, and just moving/deleting all the files there, though you would need to re-join the domain since the machine-account credentials are also stored in one of those databases.