[Samba] [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)

Rowland Penny rowlandpenny at googlemail.com
Wed Jan 28 13:21:10 MST 2015

On 28/01/15 19:56, "Andreas Braml (BürgerEnergie Berlin)" wrote:
> Hash: SHA1
> Hi!
> After a night of sleeping it over, I just started from scratch today.
> So I re-did all the client setups, starting with Ubuntu, this time
> 14.04, not 12.04 as when I first tried. Again I did what it says in
> the Wiki and - bingo! It works as advertised, Unix uid/gid, home
> directory and login shell information come from the directory now.
> Even PAM login works, although I don't need that for now.
> I wonder where I screwed up the first time. The steps aren't that
> complicated after all. Well...
> So the problem is not in the AD setup.
> But when I take the "known good" smb.conf to a fresh FreeBSD client
> installed from scratch, adjusting the netbios name and then doing the
> join, the behavior stays the same: backend rid works, ad does not.

Very strange, but just one thing, you don't actually have to set the 
netbios name in smb.conf. It might help if you post your smb.conf.

> There seems to be a problem with FreeBSD as a member server after all.


> And I will check with Ubuntu 12.04 again.
> On 27.01.2015 16:48, Rowland Penny wrote:
>> OK, you posted 'I followed the instructions for RFC 2307 and
>> decided to use RID+100000 for the default users/groups and 102XXX
>> for my additional groups/users' What do you mean by 'default
>> users/groups'
> The ones you get after the provisioning step is done.

you do not need to give these a uidNumber or gidNumber.

>> and 'additional groups/users' ?
> The ones that I add later.
>> You really only need to give Domain Users and Domain Admins a
>> 'gidNumber' attribute, you then give your users a 'uidNumber'
>> attribute.
> At one point I thought that this might be the problem - so long as
> there's only even one single group/user that doesn't have a [gu]idNumber
> set, it wouldn't work. That assumption was wrong, obviously. But it
> didn't hurt either with the hunt for the problem at hand.

If you use the 'ad' backend, winbind will only pull users & groups that 
have a uidNumber or gidNumber, these numbers need to be inside the range 
set in smb.conf, any other users are ignored.

> I won't do that in the production environment. So only groups/users that
> are relevant for what's shared on the member server (ACLs) will get the
> [gu]idNumber.
>> Why  did you choose the numbers that you have ? you can start both
>> 'uidNumber' & 'gidNumber' from 10000, this is what windows
>> expects, there doesn't need to be any link between RID and
>> uidNumber/gidNumber.
> The highest uid in use on the BSD is for the 'nobody' user (65534). It
> might be a while before the AD user/group count gets to that, but I
> wanted to play it safe here and started beyond that. msSFU30MaxUidNumber
> and msSFU30MaxGidNumber are set accordingly.

Yes, I noticed that about 'nobody' (there was probably a reason for 
this) so my adduser script jumps around 65534.

>> I think your problem is that you have given your users/groups
>> numbers that are outside the ranges you have set in AD.
> No, it's not. (Since it works on Ubuntu now.)

Well it was just a thought, I know I had problems when I first started 
using winbind, I could only get the RID backend to work, until it just 
seemed to click and now I have no problems. :-)


> Sorry for the interruption - move along!
> Cheers,
> Andreas
> Version: GnuPG v1
> iQEcBAEBAgAGBQJUyT7lAAoJEMs6lqj1bb0REyQH/2+M8/DexlLWiO6miBL0cO7U
> yRZLjxagy7EG//av3vwv9+4xPqG0RwUdbDwjuKsAvPTiEmft+a5nPfoW2U/988HO
> zwwuOV3jqQ48wgvyYvdlR9tWLsR6u1cwL9wqrUmsLn8ZvC+XGBJ80UKlvws2GH7m
> mxGaZay1Blua2wfiwJDyvN/ScdwXvU178XbHIipC1nhVwY/9+oNzXVLeINQtwTPD
> Qs4i0hVkryqJl8evuOQcMWUrXWVqHhOutKXWwSpwVCBTEdfHW5CfjcKnBIJAU5BQ
> T84M40wKHeGl/wGZPIABopOP/prefXS1bfAD35QbtYNProbdHH2ghIXTONBYVUc=
> =371f

More information about the samba mailing list