[Samba] idmap weirdness - wildcard values being used instead of rfc2307 AD values

Rowland Penny rowlandpenny at googlemail.com
Thu Oct 30 07:18:22 MDT 2014

On 30/10/14 12:46, Doug Meredith wrote:
> Hi Roland,
> On Thu, Oct 30, 2014 at 9:31 AM, Rowland Penny <rowlandpenny at googlemail.com>
> wrote:
>> On 30/10/14 11:29, Doug Meredith wrote:
>>> I've done a lot of research on this and haven't been able to solve the
>>> problem.  Hopefully someone here has a better understanding of this than I
>>> do.
>>> The problem is that the UIDs and GIDs are not being fetched from AD.  For
>>> example "getent passwd doug" returns:
>>> doug:*:70003:70005:Doug Meredith:/home/DSTRC/doug:/bin/false
>>> My full name has correctly been pulled from AD but the UID specified in AD
>>> is 20001 and the group is 10000.
>> Is the computer joined to the domain ? what is the AD DC ? any chance of
>> seeing the users entry in AD ? smb.conf appears OK except that what is
>> being pulled from AD doesn't seem to include the users unixHomeDirectory &
>> loginShell. I wonder if you are mistaking the 'uid' attribute for the
>> 'uidNumber' attribute ?
> The computer is joined to the domain (the computer account was successfully
> created in AD).  The DC is Debian running sernet Samba 4.1.12.
> When I refer to the UID in AD, I mean the value stored on the "UNIX
> attributes" tab in ADUAC.  I hadn't noticed this until you pointed it out,
> but you are right about the home directory and shell.  The values shown by
> getent are not the values specified in AD.  That reframes the problem(for
> me; seems like you already realized it):  The user's full name (a standard
> AD attribute) is being pulled successfully, but *none* of the RFC2307
> attributes are being retrieved.  Any thoughts on why this might be, or
> things I could try in order to identify the problem?
> Doug
OK, my DC is Debian 7.5 with samba 4.1.11 from backports and a Linux 
mint 17 client running 4.1.6. The client has a very similar smb.conf to 
yours, it just differs in the ranges and a couple of lines:

         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab

         idmap config * : backend = tdb
         idmap config * : range = 2000-9999
         idmap config EXAMPLE : backend  = ad
         idmap config EXAMPLE : range = 10000-999999
         idmap config EXAMPLE : schema_mode = rfc2307

My setup works, so there must be something just a little bit different, 
does /etc/resolv.conf point to the DC ? what is in /etc/krb5.conf ? what 
is in /etc/nsswitch.conf ? what pam modules do you have installed ?


More information about the samba mailing list