[Samba] Opensolaris-ish joins but does not seem to be valid

Tue Oct 10 20:19:06 UTC 2017

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Tuesday, October 10, 2017 12:02:11 PM
> Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be valid

> On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
> Andrew Martin <amartin at xes-inc.com> wrote:
> 
> 
>> > 
>> > Is this from the Opensolaris-ish machine ?
>> > 
>> > I expected to see a smb.conf file from a Unix domain member.
>> > 
>> > If it is from the machine where you are getting '[NT
>> > AUTHORITY]\[ANONYMOUS LOGON]', then can you try 'getent passwd
>> > username'. By default winbind doesn't enumerate users and groups.
>> 
>> Running "getent passwd username" does not return anything on the
>> client machine.
> 
> Then you have a problem, your users and groups seem to be unknown to
> the underlying OS.
> 
>> The Solaris CIFS service, aka smb/server, is joined to the domain
>> with "smbadm join -u Administrator example.com" and once joined you
>> can query AD users using "idmap show -cV user at example.com". By
>> default, idmapd uses "Ephemeral mapping", so AD users are represented
>> locally by a randomly-chosen, high-numbered uid rather than their
>> actual uid as stored in uidNumber or elsewhere in AD. This is
>> undesirable, so we have reconfigured idmap to use
>> "directory-based mapping" instead:
>> http://docs.oracle.com/cd/E22471_01/html/820-4167/configuration__services__identity_mapping.html
>> https://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredirbasedmapping/index.html
>> 
> 
> If you provisioned the Samba AD DC with --use-rfc2307, then I think you
> should have gone with the IDMU mapping, what we call around here
> 'RFC2307'. By using this, you will doing something very similar to
> using the winbind 'ad' backend and will be able to use RSAT on a WIN 7
> or 8.1 to admin it.
> 

It has been awhile, but the last time I looked into IDMU mode I thought
Samba didn't support it. I thought Windows AD required a separate
installer to be run to add IDMU mode and then some extra fields in AD
needed to be created and proactively synced on a regular basis (e.g.
syncing from the normal userPassword field to unixUserPassword). Are
there any guides or information on how to setup IDMU mode on a Samba DC? 

At least on Solaris, it sounds like IDMU is not 100% identical to RFC2307:
http://docs.oracle.com/cd/E22471_01/html/820-4167/configuration__services__identity_mapping.html
> IDMU adds a "UNIX Attributes" panel to the Active Directory Users and 
> Computers user interface that lets the administrator specify a number 
> of UNIX-related parameters: UID, GID, login shell, home directory, and
> similar for groups. These parameters are made available through AD 
> through a schema similar to (but not the same as) RFC2307, and through 
> the NIS service.

Thanks,

Andrew