[Samba] rid mapping works on member server but not DC

Sun Apr 12 04:55:48 MDT 2015

Hi,

I have been struggling with this for a few days and think that now's
the time I can ask for help :) It's not an area I have delved into
before, so I have been trying to follow the documentation, do my own
research, and do as much configuration/testing as I can myself; but I
am now confused. (I am running 4.2.0 throughout).

I have successfully set up and configured a member server with the
following smb.conf (sanitised for the list):

[global]
        workgroup = MY-DOMAIN
        security = ADS
        realm = MY-DOMAIN.MYORG.CO.UK
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        idmap config *:backend = tdb
        idmap config *:range = 900000-999999
        idmap config MY-DOMAIN:backend = rid
        idmap config MY-DOMAIN:range = 4000000-4999999
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind expand groups = 8

I can successfully update the RID range to e.g. 2000000-2999999 in
smb.conf, and using the following commands this does take effect:

# killall winbindd
# /usr/local/samba/sbin/winbindd
# net cache flush

When I run "wbinfo -i username", I can see the updated RID mappings,
as shown here:

[... edit smb.conf from 2000000 to 4000000... ]
# killall winbindd
# /usr/local/samba/sbin/winbindd
# wbinfo -i user1
user1:*:201105:200513:User 1:/home/MY-DOMAIN/user1:/bin/false
# net cache flush
# wbinfo -i user1
user1:*:4001105:4000513:User 1:/home/MY-DOMAIN/user1:/bin/false

This all works perfectly, and is exactly what I want to achieve, as my
UID mappings are currently inconsistent across various machines.

However, I have a second server (which is a domain controller, not a
domain member) and the same configuration does not work here - this is
where I am now confused.

What am I missing? Whatever I do, it does not seem to pay attention to
the RID mapping settings (which I have copied over from the working
member server I just set up to test, above):

[... edit smb.conf to add the RID mapping section, using any numbers I
like e.g. 2000000 ... ]
# service samba4 restart     <-- essentially, just kills and then
restarts the /usr/local/samba/sbin/samba binary
# wbinfo -i user2
user2:*:3000015:100:User 2:/home/MY-DOMAIN/user2:/bin/false
# net cache flush
# wbinfo -i user2
user2:*:3000015:100:User 2:/home/MY-DOMAIN/user2:/bin/false

The 3000015 and 100 UID/GIDs seem to be the default mapping - these do
not match the RID range I am trying to configure.

Top section of smb.conf from the domain controller; all the idmap and
winbind lines were copied directly from the working member server:

[global]
        workgroup = MY-DOMAIN
        realm = MY-DOMAIN.MYORG.CO.UK
        netbios name = MY-DC1
        server role = active directory domain controller
        dns forwarder = 192.168.1.2
        idmap config *:backend = tdb
        idmap config *:range = 900000-999999
        idmap config MY-DOMAIN:backend = rid
        idmap config MY-DOMAIN:range = 4000000-4999999
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind expand groups = 8

The only difference I can see is that the member server has the
'security = ads' line and the DC doesn't; however if I add that to the
DC config, Samba won't start up, so I don't think that's it:

[2015/04/12 11:40:56.019515,  0] ../source4/smbd/server.c:475(binary_smbd_main)
  At this time the 'samba' binary should only be used for either:
  'server role = active directory domain controller' or to access the
ntvfs file server with 'server services = +smb' or the rpc proxy with
'dcerpc endpoint servers = remote'
  You should start smbd/nmbd/winbindd instead for domain member and
standalone file server tasks
[2015/04/12 11:40:56.019982,  0] ../lib/util/become_daemon.c:111(exit_daemon)
  STATUS=daemon failed to start: Samba detected misconfigured 'server
role' and exited. Check logs for details, error code 22

There are some Kerberos lines also present on the member server but
these aren't on the DC; are these critical for idmap activity??

Is there some other ldb/tdb cache file I need to clear out, perhaps?
(I don't want to simply rm /usr/local/samba/private/* as I was doing
on the test member server - this is a DC!) Or have I missed something
basic, in which case sorry (and I will try to update the wiki to make
it clearer in case others miss it, too..! :) )

Thanks,

Jonathan

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein