[Samba] idmap_ad

Rowland Penny rpenny at samba.org
Tue Sep 20 08:49:08 UTC 2016


See inline comments:

On Mon, 19 Sep 2016 17:36:05 -0400
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:

> 
> 
> I am trying to configure idmap_ad on a linux member server (fedora
> core 23, samba 4.3.11) with a Windows 2008 domain controller.    The
> domain is "MYDOMAIN.COM" with a child domain of
> "CHILD1.MYDOMAIN.COM."  By default those domains trust each other. 
> 
> 
> 
> The MYDOMAIN PDC  has the unix identity mapping feature installed, so
> I can use "active directory users and computers" to set unix
> uidNumbers and gidNumbers (which start at 100.)      I have set
> uidNumbers for some users but not others.      I have not  up unix
> identity mapping on the child domain.

This may be your problem, why are using 100-900 ? standard Unix users
start at 1000, BUILTIN and anything outside the domain is using
2000-9999, so why not use IDs starting at 10000 ???

Have you also given Domain Users a gidNumber ??

> 
> 
> 
> The partial smb.conf is
> 
> 
>          security = ads
> 
> 
>          workgroup = MYDOMAIN
>          netbios name = LINUX1
> 
>          realm = MYDOMAIN.COM
> 
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-9999
> 
> 
>         idmap config MYDOMAIN:backend = ad
>         idmap config MYDOMAIN:schema_mode = rfc2307
>         idmap config MYDOMAIN:range = 100-900
> 
>         winbind nss info = rfc2307
>           winbind enum users = yes
>          winbind enum groups = yes
> 
> 
> 
> 
> 
> I did need to fix a symlink since samba was looking for some
> libraries in the wrong place
> 
> 
>      #ln -s /usr/lib64/ldb /usr/lib64/samba/ldb
> 
> 
> 
> I was able to join the domain
> 
>      #net ads join -U administrator -S pdc.mydomain.com
> 
> 
> I set /etc/krb5.conf to point to the domain controllers as the
> kerberos server (although I don't think this is necessary at this
> stage.)

You needed this set up before you joined the domain and it should point
to the realm.

> 
> the "wbinfo -u" and "wbinfo -g"  show users from the domain.
> 
> 
> I updated /etc/nsswitch.conf to include winbind
> 
> 
>          passwd:     files sss winbind
>          shadow:     files sss winbind

I would suggest removing 'sss' if you are not using it, also remove
'winbind' from the shadow line and putting it on the group line.

> 
> 
> (sssd daemon is not enabled.)
> 
> 
> The "getent passwd" command does NOT show users from MYDOMAIN. The
> weird thing is that it does show users from the child domain.

Well, it would, they are getting mapped because they are not in your
domain.

> 
> 
> 
> CHILD1\administrator:*:2000:2004:Administrator:/home/CHILD1/administrator:/bin/false
> CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false
> CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false
> CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false
> CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false
> 
> 
> I tried the following settings with no luck
> 
>      winbind nss info = templater

I take it that is a typo and should have been 'template' and all that
does (if using the 'ad' backend) is just use uidNumber & gidNumber
attributes.

> 
>      idmap config MYDOMAIN:schema_mode = sfu

If using 'ad' backend, just stick to 'schema_mode = rfc2307'

> 
>      winbind use default domain = yes

This just removes the domain name from user & groupnames.

> 
> 
> The "testparm -v | grep domain" gives the following
> 
> 
> 
>      allow trusted domains = Yes
>      map untrusted to domain = No
>      domain logons = No
>      domain master = Auto
>      winbind use default domain = No
>      winbind trusted domains only = No
>      winbind max domain connections = 1
> 
> 
> 
> FYI I do have another linux machine , not running samba, that is 
> configured to use LDAP/Kerberos authentication against the same
> domain controller so I am pretty use the unix attributes are set up
> correctly.
> 
> Appreciate any help.

It might well do, but winbind works differently, see here for more info:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Rowland




More information about the samba mailing list