[Samba] idmap_ad

Zhuchenko Valery zvn at belkam.com
Wed Sep 21 08:17:58 UTC 2016 

try to add this line to smb.conf

winbind expand groups = 10



20.09.2016 01:36, Gaiseric Vandal via samba:
> 
> 
> I am trying to configure idmap_ad on a linux member server (fedora core
> 23, samba 4.3.11) with a Windows 2008 domain controller.    The domain
> is "MYDOMAIN.COM" with a child domain of "CHILD1.MYDOMAIN.COM."  By
> default those domains trust each other.
> 
> 
> 
> The MYDOMAIN PDC  has the unix identity mapping feature installed, so I
> can use "active directory users and computers" to set unix uidNumbers
> and gidNumbers (which start at 100.)      I have set uidNumbers for some
> users but not others.      I have not  up unix identity mapping on the
> child domain.
> 
> 
> 
> The partial smb.conf is
> 
> 
>         security = ads
> 
> 
>         workgroup = MYDOMAIN
>         netbios name = LINUX1
> 
>         realm = MYDOMAIN.COM
> 
>        idmap config *:backend = tdb
>        idmap config *:range = 2000-9999
> 
> 
>        idmap config MYDOMAIN:backend = ad
>        idmap config MYDOMAIN:schema_mode = rfc2307
>        idmap config MYDOMAIN:range = 100-900
> 
>        winbind nss info = rfc2307
>          winbind enum users = yes
>         winbind enum groups = yes
> 
> 
> 
> 
> 
> I did need to fix a symlink since samba was looking for some libraries
> in the wrong place
> 
> 
>     #ln -s /usr/lib64/ldb /usr/lib64/samba/ldb
> 
> 
> 
> I was able to join the domain
> 
>     #net ads join -U administrator -S pdc.mydomain.com
> 
> 
> I set /etc/krb5.conf to point to the domain controllers as the kerberos
> server (although I don't think this is necessary at this stage.)
> 
> the "wbinfo -u" and "wbinfo -g"  show users from the domain.
> 
> 
> I updated /etc/nsswitch.conf to include winbind
> 
> 
>         passwd:     files sss winbind
>         shadow:     files sss winbind
> 
> 
> (sssd daemon is not enabled.)
> 
> 
> The "getent passwd" command does NOT show users from MYDOMAIN. The weird
> thing is that it does show users from the child domain.
> 
> 
> 
> CHILD1\administrator:*:2000:2004:Administrator:/home/CHILD1/administrator:/bin/false
> 
> CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false
> CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false
> CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false
> CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false
> 
> 
> I tried the following settings with no luck
> 
>     winbind nss info = templater
> 
>     idmap config MYDOMAIN:schema_mode = sfu
> 
>     winbind use default domain = yes
> 
> 
> The "testparm -v | grep domain" gives the following
> 
> 
> 
>     allow trusted domains = Yes
>     map untrusted to domain = No
>     domain logons = No
>     domain master = Auto
>     winbind use default domain = No
>     winbind trusted domains only = No
>     winbind max domain connections = 1
> 
> 
> 
> FYI I do have another linux machine , not running samba, that is
> configured to use LDAP/Kerberos authentication against the same domain
> controller so I am pretty use the unix attributes are set up correctly.
> 
> Appreciate any help.
> 
> 
> Thanks
> 
> 
> 
>

More information about the samba mailing list