I’ve been working on testing jaunty before it goes live. Winbind stopped working and I initially assumed it was another configuration change. In the end, it was. The caching functionality wasn’t very straight forward so it took me a while to get to a point where I could test configurations without the cache messing with the results. Intrepid to Jaunty is Samba 3.2.3 to 3.3.1, which being a different major version includes some changes. Mostly the internet is chock full of examples that don’t specify the version of Samba that they’re for, and it’s been changing a lot.

It looks like 3.0.21a added support for ‘idmap backend = ad’ for retrieving uid/gid information from active directory. At some point ‘idmap config’ showed up, for maintaining multiple domains. I assume this was around 3.0.25 where ‘idmap domains’ showed up. Apparently with 3.3.0, the ‘idmap backend’ is back, which became depreciated with the 3.0.25 changes. There is talk in the release notes of using ‘idmap uid’ and ‘idmap gid’. I’ve seen errors about these not existing, I just went without. Without further ado, here’s my working winbind config:

[global]
security = ADS
server string = %h server (Samba %v)
workgroup = WM
realm = CORP.WIDEMILE.COM
idmap config WM : backend = ad
idmap config WM : schema_mode = rfc2307
idmap config WM : range = 1000-20000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
template shell = /bin/bash
template homedir = /home/%U
allow trusted domains = No

The other interesting thing was the caching. I eventually read the code while watching the output of ‘winbind -i -d10 -n -s /etc/samba/smb.test.conf’ and saw that ‘-n’ which is supposed to disable caching doesn’t affect the idmap cache. The ‘winbindd_cache.tdb’ and ‘winbind_idmap.tdb’ files were not said cache. It ended up hiding in ‘/var/run/samba/gencache.tdb’, with who knows what else. You need to delete this file manually each run. I filed a bug over it too.