[Samba] IDMAP + GETENT

Rowland Penny rpenny at samba.org
Fri Sep 23 07:16:50 UTC 2016 

On Thu, 22 Sep 2016 19:35:57 -0300
Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org> wrote:

> Hi guys!
> 
> I'm looking for a way to solve the problem between my Samba 4.4.4 DC
> and my samba 4.3 File Server.
> 
> The users and groups ids are not the same in both servers and i can't
> find the solution for this.
> 
> Can anyone help me?
> 
> This is the environment:
> 
> DC: Samba 4.4.4
> ------------------------
> smb.conf:
> 
> [global]
> 
> interfaces = lo eth0
> 
> workgroup = DOMAIN
> 
> realm = DOMAIN.LOCAL
> 
> netbios name = SERVER
> 
> server role = active directory domain controller
> 
> dns forwarder = 10.x.x.x
> 
> allow dns updates = nonsecure
> 
>         idmap config *:backend = tdb
> 
>         idmap config *:range = 70001-80000
> 
>         idmap config DOMAIN:backend = ad
> 
>         idmap config DOMAIN:schema_mode = rfc2307
> 
>         idmap config DOMAIN:range = 3000000-4000000
> 
>         winbind nss info = rfc2307
> 
>         winbind trusted domains only = no
> 
>         winbind use default domain = yes
> 
>         winbind enum users = yes
> 
>         winbind enum groups = yes
> 
> 
> root at server:/usr/local/src/samba-4.4.6# wbinfo --name-to-sid
> edsontadeu
> 
> S-1-5-21-1058002876-845724780-2777320708-1106 SID_USER (1)
> 
> 
> root at server:/usr/local/src/samba-4.4.6# wbinfo --sid-to-uid
> S-1-5-21-1058002876-845724780-2777320708-1106
> 
> 3000019
> 
> 
> FILE SERVER: Samba 4.3.6
> 
> ------------------------
> smb.conf
> 
> [global]
> 
>         workgroup = DOMAIN
> 
>         netbios name = FS1
> 
>         realm = DOMAIN.LOCAL
> 
>         security = domain
> 
>         server services = smb winbindd
> 
>         encrypt passwords = true
> 
>         wins server = 10.x.x.x
> 
>         idmap config * : backend = tdb
> 
>         idmap config * : range = 70001-80000
> 
>         idmap config DOMAIN : backend = ad
> 
>         idmap config DOMAIN : schema_mode = rfc2307
> 
>         idmap config DOMAIN : range = 3000000-4000000
> 
>         winbind nss info = rfc2307
> 
>         winbind trusted domains only = no
> 
>         winbind use default domain = yes
> 
>         winbind enum users = yes
> 
>         winbind enum groups = yes
> 
>         vfs objects = acl_xattr
> 
>         map acl inherit = Yes
> 
>         store dos attributes = Yes
> 
>         domain master = no
> 
>         local master = no
> 
>         preferred master = no
> 
>         os level = 0
> 
>         log level = 2 vfs:7 auth:2 passdb:2
> 
> 
> root at fs1:~# wbinfo --name-to-sid edsontadeu
> 
> S-1-5-21-1058002876-845724780-2777320708-1106 SID_USER (1)
> 
> 
> root at fs1:~# wbinfo --sid-to-uid
> S-1-5-21-1058002876-845724780-2777320708-1106
> 
> 70001
> 
> 
> root at fs1:~# id edsontadeu
> 
> id: edsontadeu: no such user
> 
> 
> root at fs1:~# getent passwd edsontadeu
> 
> (NO RESULTS)
> 
> 
> root at fs1:~# wbinfo -i edsontadeu
> 
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> 
> Could not get info for user edsontadeu
> 
> 
> wbinfo -u and wbinfo -g works well. They give-me all my AD Users.
> 
> 
> 
> Thanks all!!
> 
> 

OK, can I suggest you change the DC smb.conf to this:

[global]
    netbios name = SERVER
    realm = DOMAIN.LOCAL
    workgroup = DOMAIN
    server role = active directory domain controller
    dns forwarder = 10.x.x.x
    allow dns updates = nonsecure
    winbind enum users = yes
    winbind enum groups = yes

All the other lines you added will not do anything on a DC.

You should also change the domain member smb.conf to this:

[global]
        workgroup = DOMAIN
        security = domain # wrong
        realm = DOMAIN.LOCAL
        netbios name = FS1

        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind expand groups = 4
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        winbind normalize names = Yes

        idmap config * : backend = tdb
        idmap config * : range = 2000-9999
        idmap config DOMAIN : backend = ad
        idmap config DOMAIN : schema_mode = rfc2307
        idmap config DOMAIN : range = 10000-999999

        domain master = no
        local master = no
        preferred master = no

        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes

        log level = 2 vfs:7 auth:2 passdb:2

You will then need to give Domain Users a gidNumber attribute inside
the range '10000-999999'
You will then need to give each user a uidNumber attribute inside the
range '10000-999999'

If you follow the above, you should then get the same ID numbers on the
DC and the domain member, provided nsswitch & links are set up on the
DC.

Rowland

More information about the samba mailing list