[Samba] idmap weirdness - wildcard values being used instead of rfc2307 AD values

Rowland Penny rowlandpenny at googlemail.com
Thu Oct 30 07:58:22 MDT 2014 

On 30/10/14 13:36, Doug Meredith wrote:
> Hi Roland,
>
> On Thu, Oct 30, 2014 at 10:18 AM, Rowland Penny <rowlandpenny at googlemail.com
>> wrote:
>> OK, my DC is Debian 7.5 with samba 4.1.11 from backports and a Linux mint
>> 17 client running 4.1.6. The client has a very similar smb.conf to yours,
>> it just differs in the ranges and a couple of lines:
>>
>>          dedicated keytab file = /etc/krb5.keytab
>>          kerberos method = secrets and keytab
>>
>>          idmap config * : backend = tdb
>>          idmap config * : range = 2000-9999
>>          idmap config EXAMPLE : backend  = ad
>>          idmap config EXAMPLE : range = 10000-999999
>>          idmap config EXAMPLE : schema_mode = rfc2307
>>
>> My setup works, so there must be something just a little bit different,
>> does /etc/resolv.conf point to the DC ? what is in /etc/krb5.conf ? what is
>> in /etc/nsswitch.conf ? what pam modules do you have installed ?
>>
>>
> resolv.conf points to the two DCs.
>
> I don't have a krb5.keytab file.  I didn't do any explicit Kerberos setup
> on the member server, and I've just reviewed the wiki page "Setup a Samba
> AD Member Server", and it makes no mention of the need to do so.  I had
> assumed the fact that the member server can look up standard AD attributes,
> and it can authenticate SMB users confirmed the lack of need for any
> Kerberos setup, but my Kerberos knowledge is quite limited.  Yet your
> config works and mine does not.  Hum.... lol
>
> Member server nsswitch.conf:
>
> group: files winbind
> group_compat: nis
> hosts: files dns
> networks: files
> passwd: files winbind
> passwd_compat: nis
> shells: files
> services: compat
> services_compat: nis
> protocols: files
> rpc: files
>
> I haven't done anything with PAM.  This is a fresh-out-of-the box test
> server with all the PAM defaults in place.
>
> Doug
Hi, AD is all about kerberos, so I think this is probably your problem, 
I use a debian based client and when I installed samba this was what I 
installed:

samba samba-vfs-modules samba-common-bin samba-common samba-libs 
libwbclient0 samba-dsdb-modules libnss-winbind smbclient libpam-winbind 
libsmbclient winbind krb5-config libpam-krb5 krb5-user

Never having used freebsd, I do not know what the packages will called 
on your distro, but I think you need to find out and install them.

Rowland

More information about the samba mailing list