[Samba] idmap_ad
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Sep 19 21:36:05 UTC 2016
I am trying to configure idmap_ad on a linux member server (fedora core
23, samba 4.3.11) with a Windows 2008 domain controller. The domain
is "MYDOMAIN.COM" with a child domain of "CHILD1.MYDOMAIN.COM." By
default those domains trust each other.
The MYDOMAIN PDC has the unix identity mapping feature installed, so I
can use "active directory users and computers" to set unix uidNumbers
and gidNumbers (which start at 100.) I have set uidNumbers for some
users but not others. I have not up unix identity mapping on the
child domain.
The partial smb.conf is
security = ads
workgroup = MYDOMAIN
netbios name = LINUX1
realm = MYDOMAIN.COM
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 100-900
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
I did need to fix a symlink since samba was looking for some libraries
in the wrong place
#ln -s /usr/lib64/ldb /usr/lib64/samba/ldb
I was able to join the domain
#net ads join -U administrator -S pdc.mydomain.com
I set /etc/krb5.conf to point to the domain controllers as the kerberos
server (although I don't think this is necessary at this stage.)
the "wbinfo -u" and "wbinfo -g" show users from the domain.
I updated /etc/nsswitch.conf to include winbind
passwd: files sss winbind
shadow: files sss winbind
(sssd daemon is not enabled.)
The "getent passwd" command does NOT show users from MYDOMAIN. The weird
thing is that it does show users from the child domain.
CHILD1\administrator:*:2000:2004:Administrator:/home/CHILD1/administrator:/bin/false
CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false
CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false
CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false
CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false
I tried the following settings with no luck
winbind nss info = templater
idmap config MYDOMAIN:schema_mode = sfu
winbind use default domain = yes
The "testparm -v | grep domain" gives the following
allow trusted domains = Yes
map untrusted to domain = No
domain logons = No
domain master = Auto
winbind use default domain = No
winbind trusted domains only = No
winbind max domain connections = 1
FYI I do have another linux machine , not running samba, that is
configured to use LDAP/Kerberos authentication against the same domain
controller so I am pretty use the unix attributes are set up correctly.
Appreciate any help.
Thanks
More information about the samba
mailing list