[Samba] idmap weirdness - wildcard values being used instead of rfc2307 AD values

Doug Meredith doug.meredith at skyridge.com
Thu Oct 30 07:36:01 MDT 2014

Hi Roland,

On Thu, Oct 30, 2014 at 10:18 AM, Rowland Penny <rowlandpenny at googlemail.com
> wrote:

> OK, my DC is Debian 7.5 with samba 4.1.11 from backports and a Linux mint
> 17 client running 4.1.6. The client has a very similar smb.conf to yours,
> it just differs in the ranges and a couple of lines:
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
>         idmap config EXAMPLE : backend  = ad
>         idmap config EXAMPLE : range = 10000-999999
>         idmap config EXAMPLE : schema_mode = rfc2307
> My setup works, so there must be something just a little bit different,
> does /etc/resolv.conf point to the DC ? what is in /etc/krb5.conf ? what is
> in /etc/nsswitch.conf ? what pam modules do you have installed ?
resolv.conf points to the two DCs.

I don't have a krb5.keytab file.  I didn't do any explicit Kerberos setup
on the member server, and I've just reviewed the wiki page "Setup a Samba
AD Member Server", and it makes no mention of the need to do so.  I had
assumed the fact that the member server can look up standard AD attributes,
and it can authenticate SMB users confirmed the lack of need for any
Kerberos setup, but my Kerberos knowledge is quite limited.  Yet your
config works and mine does not.  Hum.... lol

Member server nsswitch.conf:

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

I haven't done anything with PAM.  This is a fresh-out-of-the box test
server with all the PAM defaults in place.


More information about the samba mailing list