[Samba] How does one "look at AD" in Samba4.1?

Stuart Longland stuartl at vrt.com.au
Mon Mar 17 06:11:02 MDT 2014

On 17/03/14 18:54, steve wrote:
> On Mon, 2014-03-17 at 15:42 +1000, Stuart Longland wrote:
>> On 16/03/14 11:14, steve wrote:
>>> e.g. for Domain Users:
>>> ldbedit --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users
>> This has been a *big* help.  I knew the information I needed was in LDAP
>> somewhere, just didn't know how to get at it to edit it.
>>> Now add something like RID+20000:
>>> gidNumber: 20513
>> You mention "RID", where do I find this?  What's the significance of the
>> 20000?
> Using Domain Users again as an example, you'll have seen something like:
> S-1-5-21-1085031214-1563985344-725345543 513
> This nails Domain Users in your domain. No one else has that combination
> of characters.
> S-1-5-21-1085031214-1563985344-725345543
> is called the SID. Security ID. It's unique for your domain.
> 513
> is called the RID. Relative ID
> We add 20000 to it simply to move it away from local Linux groups which
> are often in the same sort of 500-ish region. This avoids a clash with
> local groups. Windows ignores it anyway so it doesn't matter what you
> use. Having 513 in it somewhere makes it more readable for others.

Ahh okay.  Makes sense.

>>> now:
>>> getent group Domain\ Users
>>> will return.
>> Well, this half-works now: I can do a `getent group 'MYDOMAIN\Domain
>> Users', and get a result.
> Can you tell us the result? Do you get 20513?

I do;
> admin at bnedevfs0:~$ getent group 'MYREALM\Domain Users'
> MYREALM\domain users:x:20513:

>> It doesn't know about 'Domain Users' however: it seems to go looking for
>> this in a domain called BNEDEVFS0 (the hostname of the machine).
> That comes from:
> workgroup =
> in smb.conf

Interesting, I have:
>    workgroup = MYREALM
>    server role = MEMBER SERVER
>    security = ADS
>    log level = 10
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config MYREALM:backend = ad
>    idmap config MYREALM:schema_mode = rfc2307
>    idmap config MYREALM:range = 0-40000
>    template shell = /bin/bash

If I do a getent on the two domain controllers, it works without the
MYREALM\ prefix, but on the file server, it expects the MYREALM\ prefix.

> If it's working as you expect, just add:
>  winbind use default domain = Yes
> to smb.conf. This will remove the BNEDEVFSO\ bit.

Adding that and restarting winbind, I now get:
> admin at bnedevfs0:~$ getent passwd 'Administrator'
> administrator:*:20500:20513::/home/MYREALM/administrator:/bin/bash
> admin at bnedevfs0:~$ getent group 'Domain Users'
> domain users:x:20513:

That looks like it nails it.  Thanks.

> How many domains do you have? Is there a subomain for example?

No, just the one.  It's a small organisation and so I see little benefit
in subdividing it further.

> With a lot of this stuff, if it's working and you're in production,
> leave it.

Indeed, that's how I intend to work it, once I get it running.  I've
gotten this far with the test network, so now the fun is layering on
LDAP-driven email.

Your help has been much appreciated.  I shall take it from here and see
where I wind up.

Stuart Longland
     _ ___
\  /|_) |                           T: +61 7 3535 9619
 \/ | \ |     38b Douglas Street    F: +61 7 3535 9699
   SYSTEMS    Milton QLD 4064       http://www.vrt.com.au

More information about the samba mailing list