[Samba] AD uid/gid attributes

Michael Ray mray at xes-inc.com
Thu Feb 7 14:49:01 MST 2013

Here is the solution that worked for me, on the off chance another poor soul has trouble figuring this all out: 

(That is assuming that you were in my boat, i.e. user authentication but UID/GID were not mapped) 
smb.conf : 

netbios name = <name_to_join_AD_with> 
realm = DOMAIN_FQDN 
workgroup = DOMAIN 
preferred master = no 
security = ADS 
encrypt passwords = yes 
log level = 3 
log file = /var/log/samba/%m 
max log size = 50 
winbind enum users = Yes 
winbind enum groups = Yes 
winbind use default domain = Yes 
winbind nested groups = Yes 
idmap config * : range = 2000 - 3000 
idmap config * : backend = tdb 
idmap config DOMAIN : schema_mode = rfc2307 
idmap config DOMAIN : backend = ad 
idmap config DOMAIN : range = 500 - 1000 
idmap config DOMAIN : readonly = yes 
idmap config DOMAIN : default = yes 
template shell = /bin/bash 
winbind nss info = rfc2307 

A couple notes of possible interest: 
idmap config * : backend = tdb -- is actually the default value so you do not *have* to specify it 
idmap config * : range = x - y -- this inclusive range *must* be explicitly declared as something and will break getent passwd for domain users if not declared. I'd be surprised if there weren't a possibility of an issue if you have multiple domains and this range mirrors the range for the domain, but in my case, with only 1 domain, I haven't seen an issue. 
idmap config DOMAIN : range a - b -- this is the inclusive range winbind is an authority for (i.e. for the above example, a user with uidNumber 1001 would not show up in getent passwd) 

Of course, for this to work, you must also have /etc/nsswitch.conf configured for winbind and /etc/krb5.conf configured for your domain. 

----- Original Message -----

From: "Michael Ray" <mray at xes-inc.com> 
To: samba at lists.samba.org 
Sent: Wednesday, February 6, 2013 2:06:43 PM 
Subject: [Samba] AD uid/gid attributes 

Hey all- 

I know this kind of post has come up before, but I was unable to get results following previous postings, so if anyone can shed a little light on this, I'd be very grateful: 

The gist of the situation is this: 
PDC: Samba4 [4.1.0pre1-GIT-394622e ] 
Member: Samba3 (being used as a file share server) [3.6.3-2ubuntu2.3] 

The Samba3 machine is joined to the domain and authenticates domain users successfully for both ssh and local logins via winbind/nss/pam. 
However, the UID/GID attribute, although expressed in AD, is not the same. 
On the Samba4 machine itself I can use "getent" and verify the proper uid/gid. 

As I understand it though , when samba3 queries AD for information, by default its just authenticating user / password. It then makes a local UID/GID based on the range and backend specified in smb.conf. 

I saw one post talking about using LDAP to query UID/GID information from AD instead of a local idmap, but was unable to get it to work. 
I don't really want to add more overhead (i.e. LDAP) to this process if it can be avoided but will look at it again if there is no other way. 

Here is a pastebin of the smb.conf on the samba3 server: http://pastebin.com/GrwUDCJ2 

So to anyone who can point me in the right direction / let me know what worked for them, again, I'd be grateful. 

Mike Ray 

To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 

More information about the samba mailing list