[Samba] [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)

"Andreas Braml (BürgerEnergie Berlin)" a.braml at buerger-energie-berlin.de
Wed Jan 28 12:56:22 MST 2015

Hash: SHA1


After a night of sleeping it over, I just started from scratch today.

So I re-did all the client setups, starting with Ubuntu, this time
14.04, not 12.04 as when I first tried. Again I did what it says in
the Wiki and - bingo! It works as advertised, Unix uid/gid, home
directory and login shell information come from the directory now.
Even PAM login works, although I don't need that for now.
I wonder where I screwed up the first time. The steps aren't that
complicated after all. Well...

So the problem is not in the AD setup.

But when I take the "known good" smb.conf to a fresh FreeBSD client
installed from scratch, adjusting the netbios name and then doing the
join, the behavior stays the same: backend rid works, ad does not.

There seems to be a problem with FreeBSD as a member server after all.

And I will check with Ubuntu 12.04 again.

On 27.01.2015 16:48, Rowland Penny wrote:
> OK, you posted 'I followed the instructions for RFC 2307 and
> decided to use RID+100000 for the default users/groups and 102XXX
> for my additional groups/users' What do you mean by 'default
> users/groups'

The ones you get after the provisioning step is done.

> and 'additional groups/users' ?

The ones that I add later.

> You really only need to give Domain Users and Domain Admins a 
> 'gidNumber' attribute, you then give your users a 'uidNumber'
> attribute.

At one point I thought that this might be the problem - so long as
there's only even one single group/user that doesn't have a [gu]idNumber
set, it wouldn't work. That assumption was wrong, obviously. But it
didn't hurt either with the hunt for the problem at hand.

I won't do that in the production environment. So only groups/users that
are relevant for what's shared on the member server (ACLs) will get the

> Why  did you choose the numbers that you have ? you can start both 
> 'uidNumber' & 'gidNumber' from 10000, this is what windows
> expects, there doesn't need to be any link between RID and
> uidNumber/gidNumber.

The highest uid in use on the BSD is for the 'nobody' user (65534). It
might be a while before the AD user/group count gets to that, but I
wanted to play it safe here and started beyond that. msSFU30MaxUidNumber
and msSFU30MaxGidNumber are set accordingly.

> I think your problem is that you have given your users/groups
> numbers that are outside the ranges you have set in AD.

No, it's not. (Since it works on Ubuntu now.)

Sorry for the interruption - move along!

Version: GnuPG v1


More information about the samba mailing list