[Samba] member domain idmap config ad/rid

Elias Pereira empbilly at gmail.com
Wed May 31 14:12:51 UTC 2017 

Rowland,

I checked and got the entry for root in idmap.ldb

To get 'getent' to show users on the DC, you need to have
> libnss_winbind set up just like on a domain member.


Okay. I installed the libnss-winbind package, configured the links to the
lib, and now the getent passwd administrator works.

Now, when running the testparm the error occurs:

idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

I need an entry "idmap config *: range = 3000-7999" in smb.conf of AD?

On Tue, May 30, 2017 at 6:20 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Tue, 30 May 2017 17:53:19 -0300
> Elias Pereira <empbilly at gmail.com> wrote:
>
> > >
> > > If you run getent passwd administrator on a DC, you should get
> > > something like this:
> > > root at dc1:~# getent passwd administrator
> > > SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
> >
> >
> > On my DC getent passwd administrator show nothing. :(
> >
> > Is it necessary to map the root user to ADDC as well?
> >
> > There is however a gotcha, on any domain
> > > joined windows machine there are two 'Administrators'. One is the
> > > local Administrator and will not be mapped to 'root' and the other
> > > is 'Domain\Administrator', this is the one that is mapped to the
> > > Unix user 'root'. So, if you logged in as just 'Administrator, this
> > > is very likely to be your problem.
> >
> >
> > No, I logged in with user ADDC\administrator
> >
>
> I think both of these may be caused by the same thing.
>
> On a DC, Administrator is mapped in idmap.ldb, if you open this with
> ldbedit and search for 500 (Administrators RID), you should find
> something like this:
>
> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> cn: S-1-5-21-1768301897-3342589593-1064908849-500
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500
>
> As you can see, The SID-500 is mapped to the xidNumber '0' and as we
> all know, this the ID number for root.
>
> I suggest you check in idmap.ldb on the DC that you have something like
> the above. Also check that Administrators object in AD doesn't have a
> uidNumber attribute, it shouldn't have and probably doesn't, but check
> anyway
>
> To get 'getent' to show users on the DC, you need to have
> libnss_winbind set up just like on a domain member.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Elias Pereira

More information about the samba mailing list