[Samba] Logins differ for ip/DNS on ad dc

Rowland Penny rpenny at samba.org
Sat Nov 5 12:05:50 UTC 2016

On Sat, 5 Nov 2016 12:11:20 +0100
Maximilian Kirchner <max.kirchner at gmail.com> wrote:

> Thanks for the reply Rowland (and sorry for replying twice). I
> actually used the wiki you linked to setup the dc. I just added those
> idmap settings because getent could not list my samba users after
> setting it up, due to your mail I realised I only needed the winbind
> options to make it work.
> The original problem still remains though, using \\SMB.WIE I can only
> access netlogon and sysvol, using \\ I can only access the
> shares.

This sounds like a dns problem, are your windows machines using the DC
as their nameserver ?

> I am not sure if I understand your comment about the rid backend:
> I added users with the samba-tool:
> samba-tool user create kirchner
> After that getent shows the user with ids:
> getent passwd kirchner
> SMB\kirchner:*:3000016:100::/home/SMB/kirchner:/bin/false
> So the user seems to have an id for user and group and I can use this
> uid to give access to files on the server.

OK, the '3000016' is allocated in idmap.ldb on the Samba DC, and the
allocation is done on a first come, first served basis. This means that
if you add another DC, your user may (and probably will) get a
different ID number on the second DC. you can sync idmap.ldb to the
second DC, but there is an easier way.

Before explaining the easier way, I will explain what happens on domain
member. There are several windbind backends you can use, but the two
main ones are 'rid' and 'ad'. The 'rid' backend works similar to the
DC, but the ID is calculated from the user or group RID, so you should
get the same ID on all Samba domain members, but the ID would be
different from the DC. The 'ad' backend is setup similarly to the
'rid' backend, but relies on the sysadmin (i.e. you) adding uidNumber
& gidNumber attributes to AD. The benefit of doing this, these
attributes will be used on the DC, replacing the ones stored in
idmap.ldb, and on Samba domain members i.e. you will get the same ID

I hope now you can see the easiest way, use uidNumber & gidNumber
attributes. This will allow for later expansion (adding another DC or
domain members)

More information about the samba mailing list