[Samba] idmap_ad
Rowland Penny
rpenny at samba.org
Tue Sep 20 08:49:08 UTC 2016
See inline comments:
On Mon, 19 Sep 2016 17:36:05 -0400
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>
> I am trying to configure idmap_ad on a linux member server (fedora
> core 23, samba 4.3.11) with a Windows 2008 domain controller. The
> domain is "MYDOMAIN.COM" with a child domain of
> "CHILD1.MYDOMAIN.COM." By default those domains trust each other.
>
>
>
> The MYDOMAIN PDC has the unix identity mapping feature installed, so
> I can use "active directory users and computers" to set unix
> uidNumbers and gidNumbers (which start at 100.) I have set
> uidNumbers for some users but not others. I have not up unix
> identity mapping on the child domain.
This may be your problem, why are using 100-900 ? standard Unix users
start at 1000, BUILTIN and anything outside the domain is using
2000-9999, so why not use IDs starting at 10000 ???
Have you also given Domain Users a gidNumber ??
>
>
>
> The partial smb.conf is
>
>
> security = ads
>
>
> workgroup = MYDOMAIN
> netbios name = LINUX1
>
> realm = MYDOMAIN.COM
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
>
> idmap config MYDOMAIN:backend = ad
> idmap config MYDOMAIN:schema_mode = rfc2307
> idmap config MYDOMAIN:range = 100-900
>
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
>
>
>
>
>
> I did need to fix a symlink since samba was looking for some
> libraries in the wrong place
>
>
> #ln -s /usr/lib64/ldb /usr/lib64/samba/ldb
>
>
>
> I was able to join the domain
>
> #net ads join -U administrator -S pdc.mydomain.com
>
>
> I set /etc/krb5.conf to point to the domain controllers as the
> kerberos server (although I don't think this is necessary at this
> stage.)
You needed this set up before you joined the domain and it should point
to the realm.
>
> the "wbinfo -u" and "wbinfo -g" show users from the domain.
>
>
> I updated /etc/nsswitch.conf to include winbind
>
>
> passwd: files sss winbind
> shadow: files sss winbind
I would suggest removing 'sss' if you are not using it, also remove
'winbind' from the shadow line and putting it on the group line.
>
>
> (sssd daemon is not enabled.)
>
>
> The "getent passwd" command does NOT show users from MYDOMAIN. The
> weird thing is that it does show users from the child domain.
Well, it would, they are getting mapped because they are not in your
domain.
>
>
>
> CHILD1\administrator:*:2000:2004:Administrator:/home/CHILD1/administrator:/bin/false
> CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false
> CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false
> CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false
> CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false
>
>
> I tried the following settings with no luck
>
> winbind nss info = templater
I take it that is a typo and should have been 'template' and all that
does (if using the 'ad' backend) is just use uidNumber & gidNumber
attributes.
>
> idmap config MYDOMAIN:schema_mode = sfu
If using 'ad' backend, just stick to 'schema_mode = rfc2307'
>
> winbind use default domain = yes
This just removes the domain name from user & groupnames.
>
>
> The "testparm -v | grep domain" gives the following
>
>
>
> allow trusted domains = Yes
> map untrusted to domain = No
> domain logons = No
> domain master = Auto
> winbind use default domain = No
> winbind trusted domains only = No
> winbind max domain connections = 1
>
>
>
> FYI I do have another linux machine , not running samba, that is
> configured to use LDAP/Kerberos authentication against the same
> domain controller so I am pretty use the unix attributes are set up
> correctly.
>
> Appreciate any help.
It might well do, but winbind works differently, see here for more info:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Rowland
More information about the samba
mailing list