[Samba] Windows pre-requisites for login with winbind?

A. James Lewis james at fsck.co.uk
Thu Aug 24 10:55:26 UTC 2017

Yes indeed.... I know a lot about the Linux side, but Windows is a bit of a mystery to me... and I have to confess to not knowing exactly how nss links various directory services into the system.... hence my comment earlier with "Password file entry" in quotes... I know it's not in the password file, and is amalgamated into the password "map", via nss, but I'm not sure what the correct terminology is for that.... "map" makes me think NIS, but I guess it could be extended to other directory services now.

One thing I would ask, especially given your earlier assistance with my configs... could you advise what would be required to allow logging in to multiple domains.

Existing configs included at the end:-

As far as I can see, so long as it can look up the _kerberos._tcp.DOMAIN2 record, I should not need to add anything to krb5.conf... 

For smb.conf, clearly I need to add:-

   idmap config DOMAIN2:backend = rid
   idmap config DOMAIN2:range = 500000-800000

But do I need to add anything else to make that happen?

Thanks again.


$ cat krb5.conf | ./anon.sh 
	default_realm = DOMAIN.LOCAL
	dns_lookup_realm = false
	dns_lookup_kdc = true

$ cat smb.conf | ./anon.sh 
   workgroup = DOMAIN
   security = ADS
   realm = DOMAIN.LOCAL

   idmap config *:backend = tdb
   idmap config *:range = 4000-4999
   idmap config DOMAIN:backend = rid
   idmap config DOMAIN:range = 5000-300000

   winbind trusted domains only = no
   winbind use default domain = yes
   winbind refresh tickets = yes

   template shell = /bin/bash
   template homedir = /home/%D/%U

August 23, 2017 4:09 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:

> On Wed, 23 Aug 2017 14:39:19 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
>> OK, that is the answer, but can you explain what an "RID" is from a
>> Windows perspective?... I had thought that the mapping was not a 1-1,
>> and it appears it is, once the idmap range is taken into account.
>> idmap config DOMAIN:range = 5000-300000
>> My UID's appear to be offset by 5000 from the RID... but I'd love to
>> know exactly what RID is.
>> Many thanks tho, I probably should have tried increasing this cap
>> earlier!
>> James
> Not a problem, as you may or may not know, Unix uses numeric IDs to
> identify users & groups and names to identify domains. For instance
> 'SAMDOM\rowland is a member of the SAMDOM domain with the id '10000'.
> Windows does something similar, it uses 'SID-RID' to identify users and
> groups, in fact anything.
> The SID identifies the domain and the RID identifies the object (which
> can be a user, group, etc)
> A typical SID-RID will look like this:
> S-1-5-21-1768301897-3342589593-1064908849-1107
> The SID is the 'S-1-5-21-1768301897-3342589593-1064908849' part
> The RID is the last part '1107'
> The SID is used extensively in the AD database and is always the same
> (in each AD)
> The RID is unique to the object and is never reused.
> I hope this helps you understand things a bit better.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the samba mailing list