[Samba] idmap_ad

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Sep 19 21:36:05 UTC 2016

I am trying to configure idmap_ad on a linux member server (fedora core 
23, samba 4.3.11) with a Windows 2008 domain controller.    The domain 
is "MYDOMAIN.COM" with a child domain of "CHILD1.MYDOMAIN.COM."  By 
default those domains trust each other.

The MYDOMAIN PDC  has the unix identity mapping feature installed, so I 
can use "active directory users and computers" to set unix uidNumbers 
and gidNumbers (which start at 100.)      I have set uidNumbers for some 
users but not others.      I have not  up unix identity mapping on the 
child domain.

The partial smb.conf is

         security = ads

         workgroup = MYDOMAIN
         netbios name = LINUX1

         realm = MYDOMAIN.COM

        idmap config *:backend = tdb
        idmap config *:range = 2000-9999

        idmap config MYDOMAIN:backend = ad
        idmap config MYDOMAIN:schema_mode = rfc2307
        idmap config MYDOMAIN:range = 100-900

        winbind nss info = rfc2307
          winbind enum users = yes
         winbind enum groups = yes

I did need to fix a symlink since samba was looking for some libraries 
in the wrong place

     #ln -s /usr/lib64/ldb /usr/lib64/samba/ldb

I was able to join the domain

     #net ads join -U administrator -S pdc.mydomain.com

I set /etc/krb5.conf to point to the domain controllers as the kerberos 
server (although I don't think this is necessary at this stage.)

the "wbinfo -u" and "wbinfo -g"  show users from the domain.

I updated /etc/nsswitch.conf to include winbind

         passwd:     files sss winbind
         shadow:     files sss winbind

(sssd daemon is not enabled.)

The "getent passwd" command does NOT show users from MYDOMAIN. The weird 
thing is that it does show users from the child domain.

CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false

I tried the following settings with no luck

     winbind nss info = templater

     idmap config MYDOMAIN:schema_mode = sfu

     winbind use default domain = yes

The "testparm -v | grep domain" gives the following

     allow trusted domains = Yes
     map untrusted to domain = No
     domain logons = No
     domain master = Auto
     winbind use default domain = No
     winbind trusted domains only = No
     winbind max domain connections = 1

FYI I do have another linux machine , not running samba, that is 
configured to use LDAP/Kerberos authentication against the same domain 
controller so I am pretty use the unix attributes are set up correctly.

Appreciate any help.


More information about the samba mailing list