[Samba] winbind/i­dmap­ issue on samba4 mem­ber s­erver

Rowland Penny rowlandpenny at googlemail.com
Mon Oct 20 11:43:28 MDT 2014

On 20/10/14 18:28, ?icro MEGAS wrote:
> Oh! I think I did find the error now :-) If I understand "NOW" correctly, I have also to assign a UID to EACH of my AD users in ADUC tool in the [UNIX Attribute] tab, is that correct? I just tried out. In ADUC tool I did choose "testuser3", and on the [UNIX Attribute] tab I activated the NIS domain so it reflects to "MYDOM". Then by default there was UID=10000, I modified that to 11111. After that, on DC1 "getent passwd testuser3" returned the new id 11111 for that user. And when I execute "getent passwd" on my member server, I get that particular testuser displayed correctly with UID=11111. GREAT! :-)
> To summarize: I gave testuser3 the UID=11111, which is within the range for the domain MYDOM which is using ad backend (see my member server smb.conf on the initial posting of this thread). That's why the mapping occured correctly. The other AD users have an id over 3.000.000, and "no" NIS domain were assigned to their attributes through ADUC tool yet. That's why the mapping CANNOT occur.
> Is that correct, just to be sure that I did understand how it works?
You are very nearly correct, your smb.conf on the member server has 
these lines:

idmap config MYDOM:backend = ad
idmap config MYDOM:schema_mode = rfc2307
idmap config MYDOM:range = 500-40000

The first line makes winbind use the ad backend, the second ensures that 
the rfc2307 attributes are used and the third line sets the range of 
users to pull from AD.

What this boils down to is:

A) only users with a uidNumber will be pulled
B) the uidNumber must be between the range given in smb.conf, in your 
case, between 500 - 40000

Any users without a uidNumber will be ignored, so any users that you 
want to connect to the member server will have to have a uidNumber, also 
groups will have to have a gidNumber. You can add other rfc2307 
attributes but these are not really mandatory, they just make life a lot 
easier ;-)


> As conclusion ==> I have to edit EVERY single user in my AD and activate [UNIX Attribute] --> NIS DOMAIN: MYDOM and assign a unique ID to it?
> Mirco
> I have done everything according https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC and afterwards with ADUC tool I assigned GID=10000 to the AD group "Domain Users". As you have seen on my initial posting, the setting was reflected to my AD users. I did not touch any setting in [UNIX Attribute] tab for my users though...

More information about the samba mailing list