[Samba] id maping

basti mailinglist at unix-solution.de
Mon Feb 20 12:07:29 UTC 2017 

Hello,
I have install samba ad.
On AD the config look like

# Global parameters
[global]
	netbios name = DC1
	realm = SAMDOM.EXAMPLE.COM
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
	workgroup = SAMDOM
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes

	# Default idmap config for local BUILTIN accounts and groups
	idmap config * : backend = tdb
	idmap config * : range = 3000-7999

	# idmap config for the KES domain
	idmap config SAMDOM:backend = ad
	idmap config SAMDOM:schema_mode = rfc2307
	idmap config SAMDOM:range = 1001-999999

[netlogon]
	path = /var/lib/samba/sysvol/kes.carlmarie.de/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

when I use "getent passwd someuser" it return a valid entry
SAMDOM\someuser:*:7072:513:someuser:/home/SAMDOM/someuser:/bin/false

On a domainmember the smb.conf looks like

       security = ADS
       workgroup = SAMDOM
       realm = SAMDOM.EXAMPLE.COM

       log file = /var/log/samba/%m.log
       log level = 3

       # idmap config for the KES domain
       idmap config KES:backend = ad
       idmap config KES:schema_mode = rfc2307
       idmap config KES:range = 4000-999999

        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U

        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

and "getent passwd someuser" return different entrys

someuser:*:7072:4294967295:someuser:/home/SAMDOM/someuser:/bin/bash

after "net cache flush" I get

someuser:*:4294967295:4294967295:someuser:/home/SAMDOM/someuser:/bin/bash

I read the samba config again and agian but i do not understand the
problem above. I have import the users from nt4 doamin an all my users
starts at uid 3000 and have a gid of 513 (Domain Users).

how can I map the gid 513 to AD?, i can't chown all the files on all
fileservers inmy domain.
whats wrong there?

More information about the samba mailing list