[Samba] security = ads parameter not working in samba 4.9.5

Sérgio Basto sergio at serjux.com
Wed Nov 27 15:30:27 UTC 2019 

On Wed, 2019-11-27 at 12:29 +0000, Rowland penny via samba wrote:
> On 27/11/2019 11:03, Sérgio Basto via samba wrote:
> > Sorry I meant man idmap_ad. But checking again man is equal of
> > https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man
> > page [1]
> >   
> > Examples don't mention netbios name ... I did [2] which instead use
> > workgroup I used netbios name and it is working but still don't
> > know
> > why or even if it correct .
> You do not need to set 'netbios name', it will be set for you from
> the 
> hostname
> > 
> > 
> > [2]
> > [global]
> >      netbios name = REPO
> >      security = ADS
> >      workgroup = SAMDOM
> >      realm = SAMDOM.EXAMPLE.COM
> > 
> >      winbind use default domain = yes
> > 
> >      idmap config * : backend = tdb
> >      idmap config * : range = 1000000-1999999
> >     
> >      idmap config REPO : backend = ad
> >      idmap config REPO : schema_mode = rfc2307
> >      idmap config REPO : range = 10000-999999
> >      idmap config REPO : unix_nss_info = yes
> 
> You need to use the workgroup name, not the netbios name. There will
> be 
> three domains on your Unix domain member:
> 
> BUILTIN : Mostly used for the Well Known SIDs
> 
> SAMDOM : Your AD domain
> 
> REPO : a local domain and not really relevant


Hi, many thanks for the reply and it started to work but I had to use
realm 

     security = ADS
     workgroup = SAMDOM
     realm = SAMDOM.LOCAL
     idmap config * : backend = tdb
     idmap config * : range = 1000000-1999999
   
     idmap config SAMDOM.LOCAL : backend = ad
     idmap config SAMDOM.LOCAL : schema_mode = rfc2307
     idmap config SAMDOM.LOCAL : range = 10000-999999
     idmap config SAMDOM.LOCAL : unix_nss_info = yes





> >      vfs objects = acl_xattr
> >      map acl inherit = yes
> >      store dos attributes = yes
> > 
> >      template shell = /bin/false
> >      template homedir = /srv/samba/users/%U
> >      username map = /var/lib/samba/user.map
> > 
> > 
> > 
> > [1]
> > EXAMPLES
> >         The following example shows how to retrieve idmappings from
> > our
> > principal and trusted AD domains. If trusted domains are present id
> >         conflicts must be resolved beforehand, there is no
> > guarantee on
> > the order conflicting mappings would be resolved at this point.
> >         This example also shows how to leave a small non
> > conflicting
> > range for local id allocation that may be used in internal backends
> >         like BUILTIN.
> > 
> >                  [global]
> >                  workgroup = CORP
> > 
> >                  idmap config * : backend = tdb
> >                  idmap config * : range = 1000000-1999999
> > 
> >                  idmap config CORP : backend  = ad
> >                  idmap config CORP : range = 1000-999999
> 
> Rowland
> 
> 
> 
-- 
Sérgio M. B.

More information about the samba mailing list