[Samba] idmap_ad

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Sep 22 12:02:36 UTC 2016 

Thanks to various people for the feedback.


I had created a test domain group "IT"  with a gidNumber.   Under active 
directory users and groups, the test users had IT as the primary 
group.   Under the regular windows settings , the primary group was 
still "Domain Users" which did not have a gidNumber. Once I set a 
gidNumber , all was OK.

This also worked on Samba 3.6.25 on Solaris 11.





On 09/20/16 04:49, Rowland Penny via samba wrote:
> See inline comments:
>
> On Mon, 19 Sep 2016 17:36:05 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>>
>> I am trying to configure idmap_ad on a linux member server (fedora
>> core 23, samba 4.3.11) with a Windows 2008 domain controller.    The
>> domain is "MYDOMAIN.COM" with a child domain of
>> "CHILD1.MYDOMAIN.COM."  By default those domains trust each other.
>>
>>
>>
>> The MYDOMAIN PDC  has the unix identity mapping feature installed, so
>> I can use "active directory users and computers" to set unix
>> uidNumbers and gidNumbers (which start at 100.)      I have set
>> uidNumbers for some users but not others.      I have not  up unix
>> identity mapping on the child domain.
> This may be your problem, why are using 100-900 ? standard Unix users
> start at 1000, BUILTIN and anything outside the domain is using
> 2000-9999, so why not use IDs starting at 10000 ???
>
> Have you also given Domain Users a gidNumber ??
>
>>
>>
>> The partial smb.conf is
>>
>>
>>           security = ads
>>
>>
>>           workgroup = MYDOMAIN
>>           netbios name = LINUX1
>>
>>           realm = MYDOMAIN.COM
>>
>>          idmap config *:backend = tdb
>>          idmap config *:range = 2000-9999
>>
>>
>>          idmap config MYDOMAIN:backend = ad
>>          idmap config MYDOMAIN:schema_mode = rfc2307
>>          idmap config MYDOMAIN:range = 100-900
>>
>>          winbind nss info = rfc2307
>>            winbind enum users = yes
>>           winbind enum groups = yes
>>
>>
>>
>>
>>
>> I did need to fix a symlink since samba was looking for some
>> libraries in the wrong place
>>
>>
>>       #ln -s /usr/lib64/ldb /usr/lib64/samba/ldb
>>
>>
>>
>> I was able to join the domain
>>
>>       #net ads join -U administrator -S pdc.mydomain.com
>>
>>
>> I set /etc/krb5.conf to point to the domain controllers as the
>> kerberos server (although I don't think this is necessary at this
>> stage.)
> You needed this set up before you joined the domain and it should point
> to the realm.
>
>> the "wbinfo -u" and "wbinfo -g"  show users from the domain.
>>
>>
>> I updated /etc/nsswitch.conf to include winbind
>>
>>
>>           passwd:     files sss winbind
>>           shadow:     files sss winbind
> I would suggest removing 'sss' if you are not using it, also remove
> 'winbind' from the shadow line and putting it on the group line.
>
>>
>> (sssd daemon is not enabled.)
>>
>>
>> The "getent passwd" command does NOT show users from MYDOMAIN. The
>> weird thing is that it does show users from the child domain.
> Well, it would, they are getting mapped because they are not in your
> domain.
>
>>
>>
>> CHILD1\administrator:*:2000:2004:Administrator:/home/CHILD1/administrator:/bin/false
>> CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false
>> CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false
>> CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false
>> CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false
>>
>>
>> I tried the following settings with no luck
>>
>>       winbind nss info = templater
> I take it that is a typo and should have been 'template' and all that
> does (if using the 'ad' backend) is just use uidNumber & gidNumber
> attributes.
>
>>       idmap config MYDOMAIN:schema_mode = sfu
> If using 'ad' backend, just stick to 'schema_mode = rfc2307'
>
>>       winbind use default domain = yes
> This just removes the domain name from user & groupnames.
>
>>
>> The "testparm -v | grep domain" gives the following
>>
>>
>>
>>       allow trusted domains = Yes
>>       map untrusted to domain = No
>>       domain logons = No
>>       domain master = Auto
>>       winbind use default domain = No
>>       winbind trusted domains only = No
>>       winbind max domain connections = 1
>>
>>
>>
>> FYI I do have another linux machine , not running samba, that is
>> configured to use LDAP/Kerberos authentication against the same
>> domain controller so I am pretty use the unix attributes are set up
>> correctly.
>>
>> Appreciate any help.
> It might well do, but winbind works differently, see here for more info:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> Rowland
>
>

More information about the samba mailing list