Platform:
FreeBSD 10.0 / 10.1
Samba 4.0.24 / 4.1.16
Issue:
You have your perfectly-crafted smb.conf/smb4.conf configuration file that worked just fine on Samba 3.6, but it doesn't seem to work at all on Samba 4 or 4.1.
Excerpt from an example configuration for DOMAIN that worked with Samba 3.6:
# get info from active directory (uidNumber & gidNumber) idmap config DOMAIN : backend = ad idmap config DOMAIN : range = 10000-19999 idmap config DOMAIN : schema_mode = rfc2307
Despite specifying a backend, range, and schema for info lookup and id mapping, it keeps displaying the wrong info. Using "wbinfo -i username" (or "getent passwd username" if you have /etc/nsswitch.conf configured) just won't show the right UID, GID, home, or shell.
You end up with something like this:
username:*:4294967295:4294967295:User Name:/home/DOMAIN/username:/bin/false
When you were expecting something more like this:
username:*:10001:10001:User Name:/home/username:/bin/bash
Cause:
You might be missing the /usr/local/lib/shared-modules/idmap/ad.so file!
Even though the samba4 and samba41 binary packages are pre-compiled with "AD support", they do not include the correct shared module to actually work with AD!
After turning the log level way up, I noticed my "/var/log/samba4/log.winbindd-idmap" file kept repeating the same thing over and over for every user lookup:
[2015/02/03 17:00:47.849685, 3] ../source3/winbindd/idmap.c:230(idmap_init_domain) idmap backend ad not found [2015/02/03 17:00:47.849727, 5] ../lib/util/modules.c:174(do_smb_load_module) Probing module 'ad' [2015/02/03 17:00:47.849763, 5] ../lib/util/modules.c:188(do_smb_load_module) Probing module 'ad': Trying to load from /usr/local/lib/shared-modules/idmap/ad.so [2015/02/03 17:00:47.849958, 5] ../lib/util/modules.c:56(load_module) Error loading module '/usr/local/lib/shared-modules/idmap/ad.so': Cannot open "/usr/local/lib/shared-modules/idmap/ad.so" [2015/02/03 17:00:47.849985, 3] ../source3/winbindd/idmap.c:235(idmap_init_domain) Could not probe idmap module ad
Error loading module ad.so? idmap backend ad not found? That part of idmap_ad is required to correctly retrieve information from AD.
Fix:
Compiling Samba 4/4.1 with the "experimental modules" option is probably the easiest way to work around this. Trying to use "pkg install samba41" will not work.
Go ahead and instal the required files for the expermental modules option:
# pkg install pkgconf p5-Parse-Pidl
Then, using portmaster, configure Samba and select the "EXP_MODULES" option.
# portmaster net/samba41
(Take a break here, compiling Samba might take a while.)
Go ahead and prevent pkg from updating Samba:
# pkg lock samba41
Now with the updated Samba installed, go ahead and stop the service, wipe the id mapping cache and logs, then restart the service:
# service samba_server stop # rm /var/db/samba4/* # rm /var/log/samba4/* # service samba_server start
Now issue the "wbinfo -i username" command to see if it gets the right information (uid, gid, home, and shell).