[Samba] The problem with setting up AD domain to Samba 4

Wed Jun 19 03:34:38 MDT 2013

The problem is that you are mixing up how samba 4 works with how samba 3
works, samba 4 winbind does not work the same as the samba 3 winbind.
What you need to do is give your linux users a uidNumber and groups like
Domain Users a gidNumber, how you do this is up to you, it can be done from
windows (ADUC?) or by using an ldif on linux, try a web search.
You then need to extract this information on the linux clients, you can use
winbind, but do not use the rid backend. If do you use the rid backend,
whilst you will get the same UID for a user on any linux client that uses
the exact same winbind settings, you will never get the same UID on the
server.  Using the ad backend will get you the same UID where ever you ask
for it, but in my opinion is not the way to go, try using sssd, it is a lot
easier to set up.

Rowland

On 19 June 2013 09:59, Vladimir A Fomkin <vaf at vaf.net.ru> wrote:

> Hi!
> I'm tried to change idmap backend from tdb to rid and setting up idmap
> range, but samba uses old type of UIDs.
> What am I doing wrong?
>
>
> [global]
>     workgroup = TEST
>     realm = test.local
>     netbios name = BDC-SAMBA
>     server role = active directory domain controller
>     dns forwarder = 192.168.1.102
>     idmap config TEST:backend = rid
>     idmap config TEST:range = 4000000 - 5000000
>     idmap config TEST:schema_mode = rfc2307
>     idmap config *:backend = rid
>
>
>
>
>
> root at bdc-samba:~# /usr/local/samba/bin/testparm -sv
> /usr/local/samba/etc/smb.conf | grep backend
> Load smb config files from /usr/local/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[profiles]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>     passdb backend = samba_dsdb
>     idmap backend = tdb
>     share backend =
>     idmap config TEST:backend = rid
>     idmap config * : backend = rid
> root at bdc-samba:~#
>
>
>
> 2013/6/17 Vladimir A Fomkin <vaf at vaf.net.ru>
>
> > Hi!
> >
> > root at debian-samba4:/usr/local/samba/private#
> > /usr/local/samba/bin/ldbsearch --url=/usr/local/samba/private/sam.ldb |
> > grep tester4
> > sAMAccountName: tester4
> > userPrincipalName: tester4 at test.local
> > root at debian-samba4:/usr/local/samba/private#
> >
> >
> > And I found there UID is saved - /usr/local/samba/bin/ldbedit
> > --url=/usr/local/samba/private/idmap.ldb
> > On PDC shows (cutted):
> > # record 7
> > dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> > cn: S-1-5-21-3451120384-2816699473-3647757164-1110
> > objectClass: sidMap
> > objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
> > type: ID_TYPE_BOTH
> > xidNumber: 3000023
> > distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> >
> > On BDC shows (cutted):
> > # record 5
> > dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> > cn: S-1-5-21-3451120384-2816699473-3647757164-1110
> > objectClass: sidMap
> > objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
> > type: ID_TYPE_BOTH
> > xidNumber: 3000020
> > distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> >
> >
> >
> > SID is the same, but the UID is different!
> >
> >
> >
> > 2013/6/17 steve <steve at steve-ss.com>
> >
> >> On Mon, 2013-06-17 at 14:50 +0400, Vladimir A Fomkin wrote:
> >> > HI!
> >> > root at bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4
> >> > New Password:
> >> > Retype Password:
> >> > ERROR(ldb): Failed to add user 'tester4':  - samldb: Account name
> >> > (sAMAccountName) 'tester4' already in use!
> >> > root at bdc-samba:~#
> >>
> >>
> >> Hi
> >> ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4
> >>
> >>
> >>
> >>
> >
> >
> > --
> > С уважением,
> > Фомкин Владимир Андреевич
> > ICQ:220967838
> > Skype:vladimir.fomkin
> > http://vaf.net.ru
> >
>
>
>
> --
> С уважением,
> Фомкин Владимир Андреевич
> ICQ:220967838
> Skype:vladimir.fomkin
> http://vaf.net.ru
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>