[Samba] idmap_ad

Edson Tadeu Almeida da Silveira edson.tadeu at gmail.com
Tue Sep 20 12:36:37 UTC 2016 

Try to create simbolic links to samba4 winbind libraries:

ln -sf /lib/x86_64-linux-gnu/libnss_winbind.so
/usr/local/samba/lib/libnss_winbind.so
ln -sf /lib/x86_64-linux-gnu/libnss_winbind.so
/usr/local/samba/lib/libnss_winbind.so.2

ln -sf /usr/lib/x86_64-linux-gnu/libnss_winbind.so
/usr/local/samba/lib/libnss_winbind.so
ln -sf /usr/lib/x86_64-linux-gnu/libnss_winbind.so
/usr/local/samba/lib/libnss_winbind.so.2

An then, restart samba.

Att,


2016-09-20 5:49 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:

>
> See inline comments:
>
> On Mon, 19 Sep 2016 17:36:05 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
> >
> >
> > I am trying to configure idmap_ad on a linux member server (fedora
> > core 23, samba 4.3.11) with a Windows 2008 domain controller.    The
> > domain is "MYDOMAIN.COM" with a child domain of
> > "CHILD1.MYDOMAIN.COM."  By default those domains trust each other.
> >
> >
> >
> > The MYDOMAIN PDC  has the unix identity mapping feature installed, so
> > I can use "active directory users and computers" to set unix
> > uidNumbers and gidNumbers (which start at 100.)      I have set
> > uidNumbers for some users but not others.      I have not  up unix
> > identity mapping on the child domain.
>
> This may be your problem, why are using 100-900 ? standard Unix users
> start at 1000, BUILTIN and anything outside the domain is using
> 2000-9999, so why not use IDs starting at 10000 ???
>
> Have you also given Domain Users a gidNumber ??
>
> >
> >
> >
> > The partial smb.conf is
> >
> >
> >          security = ads
> >
> >
> >          workgroup = MYDOMAIN
> >          netbios name = LINUX1
> >
> >          realm = MYDOMAIN.COM
> >
> >         idmap config *:backend = tdb
> >         idmap config *:range = 2000-9999
> >
> >
> >         idmap config MYDOMAIN:backend = ad
> >         idmap config MYDOMAIN:schema_mode = rfc2307
> >         idmap config MYDOMAIN:range = 100-900
> >
> >         winbind nss info = rfc2307
> >           winbind enum users = yes
> >          winbind enum groups = yes
> >
> >
> >
> >
> >
> > I did need to fix a symlink since samba was looking for some
> > libraries in the wrong place
> >
> >
> >      #ln -s /usr/lib64/ldb /usr/lib64/samba/ldb
> >
> >
> >
> > I was able to join the domain
> >
> >      #net ads join -U administrator -S pdc.mydomain.com
> >
> >
> > I set /etc/krb5.conf to point to the domain controllers as the
> > kerberos server (although I don't think this is necessary at this
> > stage.)
>
> You needed this set up before you joined the domain and it should point
> to the realm.
>
> >
> > the "wbinfo -u" and "wbinfo -g"  show users from the domain.
> >
> >
> > I updated /etc/nsswitch.conf to include winbind
> >
> >
> >          passwd:     files sss winbind
> >          shadow:     files sss winbind
>
> I would suggest removing 'sss' if you are not using it, also remove
> 'winbind' from the shadow line and putting it on the group line.
>
> >
> >
> > (sssd daemon is not enabled.)
> >
> >
> > The "getent passwd" command does NOT show users from MYDOMAIN. The
> > weird thing is that it does show users from the child domain.
>
> Well, it would, they are getting mapped because they are not in your
> domain.
>
> >
> >
> >
> > CHILD1\administrator:*:2000:2004:Administrator:/home/
> CHILD1/administrator:/bin/false
> > CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false
> > CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false
> > CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false
> > CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false
> >
> >
> > I tried the following settings with no luck
> >
> >      winbind nss info = templater
>
> I take it that is a typo and should have been 'template' and all that
> does (if using the 'ad' backend) is just use uidNumber & gidNumber
> attributes.
>
> >
> >      idmap config MYDOMAIN:schema_mode = sfu
>
> If using 'ad' backend, just stick to 'schema_mode = rfc2307'
>
> >
> >      winbind use default domain = yes
>
> This just removes the domain name from user & groupnames.
>
> >
> >
> > The "testparm -v | grep domain" gives the following
> >
> >
> >
> >      allow trusted domains = Yes
> >      map untrusted to domain = No
> >      domain logons = No
> >      domain master = Auto
> >      winbind use default domain = No
> >      winbind trusted domains only = No
> >      winbind max domain connections = 1
> >
> >
> >
> > FYI I do have another linux machine , not running samba, that is
> > configured to use LDAP/Kerberos authentication against the same
> > domain controller so I am pretty use the unix attributes are set up
> > correctly.
> >
> > Appreciate any help.
>
> It might well do, but winbind works differently, see here for more info:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------

More information about the samba mailing list