[Samba] bad home path from AD

Rowland Penny rpenny at samba.org
Thu Mar 28 11:03:37 UTC 2024 

On Thu, 28 Mar 2024 11:12:12 +0100
Arnaud Bougeard via samba <samba at lists.samba.org> wrote:

> Hello
> 
> I think I have a mapping problem.
> 
> The server was added to the domain with sudo net ads join -U 
> adj-compo at ur.local
> 
> The server is also connected to an LDAP server via SSD
> 
> When loading the user's homes, the server does not look for the
> correct homedir path which should be /private/student/7/17/tdsi917
> for the user tdsi917
> 
> Here are the values and variables retrieved by the 3 commands:
> 
> # getent passwd ur\\tdsi917
> tdsi917:*:16945606:16977729::/home/UR/tdsi917:/bin/false
> 
> # getent passwd tdsi917
> tdsi917:*:122025:99999:test 
> dsi917:/private/student/7/17/tdsi917:/usr/local/bin/ur1shell
> 
> # id tdsi917
> uid=122025(tdsi917) gid=99999 
> groupes=99999,16945606(tdsi917),16977729(domain 
> users),17138962($ijv700-jaannteirkd3),17169934($ert800-5ggunedtuc7k),17121891($3ue700-90qmsldqmphu),16975181($da1600-8q4gb3joj2c9),17156453($5mg800-qp8djjrmdrod),17155068($saf800-r89h2bc6j7a6),17098681($p8o600-b3lnss0ku69r),17098673($h8o600-asepe2uhj93k),17121890($2ue700-3vk366s8s8nf),17169935($frt800-8l9h6ago3m6l),17131976($8po700-dj95nr2nh69g),17138960($gjv700-3rcp24o2rlvs),17131837($tko700-b5g5n6ti3aor),17138961($hjv700-5pebr12ui2pt),16974329($pf0600-svtpf15svlnj),17144064($0j4800-12qqqai06tc5),16966428($soo500-kso5c5o4qd6c),17169933($drt800-91fnd965nvcg),17169365($l9t800-1i3jm4qpr31r),16777217(BUILTIN\users)
> 
> 
> Here is my samba config  /etc/samba/smb.conf
>    [global]
>     netbios name = spartacus-test
>     workgroup = ur
>     realm = UR.LOCAL

I do hope that '.local' is sanitisation for your correct TLD.
 
>     log file = /var/log/samba/%m.log
>     log level = 3
>     security = ads
>     idmap config * : backend = tdb
>     idmap config * : range = 16777216-33554431

The default domain '*' is meant for the Well Known SIDs (and there are
less than 200 of them) and anything outside the 'UR' domain (so really
0), so why have you got a range that allows for 16 million, seven
hundred and seventy seven thousand, two hundred and twenty five users?
 
>     idmap config UR : unix_nssinfo = no
>     idmap config UR: schema_mode = rfc2307

It looks to me that you are possibly wanting to use the 'ad' idmap
backend for the 'UR' domain, if so, you are a couple of lines missing
(at least)
     idmap config UR : backend = ad
     idmap config UR : range = 10000-999999

Though this will require that you have added rfc2307 attributes to AD,
have you done this ?

Rowland

More information about the samba mailing list