[Samba] Issues with AD trusts and UID/GID ranges

Anthony Halliday anthonyhalliday13 at gmail.com
Thu Nov 2 16:30:51 UTC 2023 

Hello All,
I'm having issues joining some Ubuntu servers to an Active Directory domain with trusts. All my machines are running samba and winbind. I have a two domains, we'll call them CORPORATE and CUSTOMER. CUSTOMER has a one way trust with CORPORATE, such that any resources CUSTOMER can access, CORPORATE can as well, but not vice-versa. On all of my CORPORATE machines, users are assigned UIDs/GIDs in the range 10000-20000, and this has worked well so far. On CUSTOMER machines, I'd like to make it so that CORPORATE users are in the range 10000-20000 (just like on my CORPORATE machines), and CUSTOMER users are in the range 20001-30000. However, for some reason, with my current configs (attached), after joining to the domain, all users end up in the 30001-40000 range assigned to *​. I tried not defining a range for *​, but testparm​ gave me errors and samba wouldn't launch. I'm a complete amateur at this, so I would appreciate any help you could offer. Thanks.

krb5.conf:
```
[libdefaults]
       dns_lookup_realm = false         
	ticket_lifetime = 24h        
	renew_lifetime = 7d         
	forwardable = true         
	rdns = false         
	default_realm = CUSTOMER.TLD
       default_ccache_name = KEYRING:persistent:%{uid} [realms]         
	CUSTOMER.TLD = {                 
		kdc = ad.customer.tld
               admin_server = ad.customer.tld
               default_domain = customer.tld
               pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem                 
		pkinit_cert_match = <KU>digitalSignature                 
		pkinit_kdc_hostname = ad.customer.tld
       }
       CORPORATE.TLD = {                 
		kdc = ad.corporate.tld
               admin_server = ad.corporate.tld
               default_domain = corporate.tld
               pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem                 
		pkinit_cert_match = <KU>digitalSignature                 
		pkinit_kdc_hostname = ad.corporate.tld
       }
[domain_realm]
       .customer.tld = CUSTOMER.TLD
       customer.tld = CUSTOMER.TLD
       .corporate.tld = CORPORATE.TLD
       corporate.tld = CORPORATE.TLD
```

smb.conf:
```
[global]
       workgroup = CUSTOMER
       usershare allow guests = NO         
	kerberos method = secrets and keytab         
	realm = CUSTOMER.TLD
       security = ADS         
	idmap config *:range = 30001-40000
       idmap config CUSTOMER:range = 20001-30000
       idmap config CORPORATE:range = 10000-20000
       template homedir = /home/%D/%U         
	template shell = /bin/bash         
	winbind use default domain=true         
	winbind offline logon = yes         
	winbind refresh tickets = yes
       winbind scan trusted domains = yes
```

More information about the samba mailing list