[Samba] failing to get AD users (getent passwd DMYDOM\a-sdettmer)

Sun Mar 17 13:02:34 UTC 2024

Thank you so much for all your help. I cannot express how thankful I am!

tl;dr:
I have a >40 million RID and it now works with

   idmap config dmydom : range = 10000-999999999

(and now I wonder what happens if Windows gives a
SID ending with 11 digits, exceeding 32 bit UIDs)

more detail in case someone has the same issue:

On Sun, Mar 17, 2024 at 12:2   idmap config dmydom : range = 10000-999999999
2 PM Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> On Sun, 17 Mar 2024 11:36:51 +0100
> Steffen Dettmer <steffen.dettmer+samba at gmail.com> wrote:
>
> > On Sat, Mar 16, 2024 at 9:45 PM Rowland Penny via samba wrote:
> > > On Sat, 16 Mar 2024 21:33:59 +0100 Steffen Dettmer via samba wrote:
> > > >    getent passwd 'DMYDOM\a-sdettmer'
> > > >    [nothing]
> default_realm = DMYDOM.INT
> default_domain = dom.local
>
> The latter should be the lowercase version of the former i.e.
> 'mydom.int' and not 'dom.local' (also I hope that '.local' is
> sanitisation for the real TLD).

OMG, no it is literally "dom.local" and my notes say so.
I adjusted accordingly.

> What could be happening is that the 'rid' backend is ignoring your
> users.

(For next time, would it be possible to see some error message like
err user sdettmer out of range)

> The 'rid' backend works by obtaining the users RID

OMG, before I never realized that technically it means taking the last "part"
of the SID as number! Now I see that you are writing this since 2019
or longer :)
This is cool, because two independent Sambas in same domain
generate same UIDs, which makes a lot of sense.

My accounts SID is S-1-5-21-120xxxxxxx-24xxxxxxxx-29xxxxxxxx-41xxxxx6

Apparently, an AD SID cannot easily be shown on Samba client
when it is not mappable.

Should I create an account and add this to
https://wiki.samba.org/index.php/Idmap_config_rid
extending "Planning the ID Ranges" telling how to say how to determine
RID from SID? For example proposing Win Powershell

  Get-ADUser -Identity lastUserCreated -Properties
SamAccountName,UserPrincipalName,SID | select
SamAccountName,UserPrincipalName,SID

(or is there is some Winbind/Samba equivalent?)
and tell Wiki readers to ensure there is enough "space" in the range?

> However, if the RID was '99999', the ID would be '109999', which is
> over your high range end and as a result, your user would be ignored.

So my RID > 40 million and need a very big range, although just a few users
(700 accounts, most are apps).
I extracted all user SID and see four digits number, then suddenly a jump
from 6xxx to 41xxxxx3.
Many are "contiguous", like 20 users where RID are incrementing,
but there are gaps/holes in the numbers here and there.

Am I right that I'm lost as soon as Windows jumps over 32 bit range?

Could wbinfo somehow check if the range is sufficient? Or make
winbind daemon log an error if it faces an unmappable SID?
(Maybe I could contribute; I develop in C but I'm not sure if I could work
myself into in reasonable time as I'm not familiar with anything)

> Quick test, change 'idmap config DMYDOM : range = 10000-99999' to
> 'idmap config DMYDOM : range = 10000-999999', reload the config with
> smbcontrol or restart Samba,

I found this on the web (you also already wrote about) and I tested it,
that time without success.
Now, thanks to your great and detailed explanation, I set:

   idmap config dmydom : range = 10000-999999999

root at a2samba1:~# smbcontrol all reload-config
root at a2samba1:~# service winbind restart
root at a2samba1:~# getent passwd DMYDOM\\a-sdettmer
a-sdettmer:*:41xxxxx6:1xxx3:Steffen Dettmer (Limited Administrative
Account):/home/a-sdettmer:/bin/bash

The SID of the users was given by WIndows, apparently I have unusual
high numbers :/

Thank you so much for your help. I thought I checked this, but I didn't do
it right.

If UID cannot be mapped, Windows clients would not notice
as they don't see this at all, is this correct? Or could linux access
permissions harm samba?

Thank youuuu!

Steffen