[Samba] The problem with setting up AD domain to Samba 4

steve steve at steve-ss.com
Wed Jun 19 03:42:20 MDT 2013 

On Wed, 2013-06-19 at 12:59 +0400, Vladimir A Fomkin wrote:
> Hi!
> 
> I'm tried to change idmap backend from tdb to rid and setting up idmap
> range, but samba uses old type of UIDs. 
> What am I doing wrong?
> 
> 
> [global]
>     workgroup = TEST
>     realm = test.local
>     netbios name = BDC-SAMBA
>     server role = active directory domain controller
>     dns forwarder = 192.168.1.102
>     idmap config TEST:backend = rid
>     idmap config TEST:range = 4000000 - 5000000
>     idmap config TEST:schema_mode = rfc2307
>     idmap config *:backend = rid
> 
> 
Change to this:
[global]
    workgroup = TEST
     realm = test.local
     netbios name = BDC-SAMBA
     server role = active directory domain controller
     dns forwarder = 192.168.1.102
	idmap_ldb use:rfc2307 = Yes

> 
> 
> 
> root at bdc-samba:~# /usr/local/samba/bin/testparm
> -sv /usr/local/samba/etc/smb.conf | grep backend
> Load smb config files from /usr/local/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[profiles]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>     passdb backend = samba_dsdb
>     idmap backend = tdb
>     share backend = 
>     idmap config TEST:backend = rid
>     idmap config * : backend = rid
> root at bdc-samba:~# 
> 
> 
> 
> 
> 2013/6/17 Vladimir A Fomkin <vaf at vaf.net.ru>
>         Hi!
>         
>         root at debian-samba4:/usr/local/samba/private# /usr/local/samba/bin/ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4
>         sAMAccountName: tester4
>         userPrincipalName: tester4 at test.local
>         root at debian-samba4:/usr/local/samba/private#
>         
>         
>         
>         And I found there UID is saved - /usr/local/samba/bin/ldbedit
>         --url=/usr/local/samba/private/idmap.ldb 
>         On PDC shows (cutted):
>         
>         # record 7
>         dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
>         cn: S-1-5-21-3451120384-2816699473-3647757164-1110
>         objectClass: sidMap
>         objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
>         type: ID_TYPE_BOTH
>         xidNumber: 3000023
>         distinguishedName:
>         CN=S-1-5-21-3451120384-2816699473-3647757164-1110
>         
>         
>         On BDC shows (cutted):
>         # record 5
>         dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
>         cn: S-1-5-21-3451120384-2816699473-3647757164-1110
>         objectClass: sidMap
>         objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
>         type: ID_TYPE_BOTH
>         xidNumber: 3000020
>         distinguishedName:
>         CN=S-1-5-21-3451120384-2816699473-3647757164-1110
>         
>         
>         
>         SID is the same, but the UID is different!
>         

Good. Now delete the whole of BOTH these entries:
ldbedit --url=/usr/local/samba/private/idmap.ldb

Now delete tester4:
samba-tool user delete tester4

Now add the user tester4:
samba-tool user add tester4

wbinfo -i tester4
(I don't have tester4 so I'll use steve2 as an example)

 wbinfo -i steve2
HH3\steve2:*:3000021:20513::/home/HH3/steve2:/bin/false

Note the uid 3000021

Now, we add
uidNumber: 3000021
to AD:

ldbedit --url=/usr/local/samba/private/sam.ldb cn=steve2
# editing 1 records
# record 1
dn: CN=steve2,CN=Users,DC=hh3,DC=site
cn: steve2
instanceType: 4
whenCreated: 20130605152701.0Z
uSNCreated: 3800
name: steve2
objectGUID: 3dfcb8e8-fca2-49ea-9ac8-8e1b0563a379
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-451355595-2219208293-2714859210-1107
logonCount: 0
sAMAccountName: steve2
sAMAccountType: 805306368
userPrincipalName: steve2 at hh3.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 130149196210000000
userAccountControl: 66048
accountExpires: 0
uidNumber: 3000021
<snip>

Now:
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

and edit /etc/nsswitch.conf

passwd:          files winbind
group:           files winbind

Test it:
getent passwd steve2                         
steve2:*:3000021:20513:steve2:/home/users/steve2:/bin/bash  

login as steve2 and create a file:
su steve2
touch /tmp/somefile
ls -l somefile
-rw-r--r-- 1 steve2 Domain Users 0 Jun 19 11:41 somefile

HTH
Steve

More information about the samba mailing list