[Samba] samba 4 ad member - idmap = ad for machine accounts

Kacper Wirski k.wirski at babkamedica.pl
Mon Sep 18 11:57:29 UTC 2017

I posted already, but here it is again (it's everythign except it has 
not 1 but ~10 SOMESHARE, all with exact same config)

Full entry from smb.conf:

        netbios name = VS-FILES
        security = ADS
        workgroup = MYDOMAIN
        realm = MYDOMAIN.COM

        log file = /var/log/samba/%m.log
        log level = 1

        idmap config *:backend = tdb
        idmap config *:range = 100-2000

        # idmap config for domain MYDOMAIN
        idmap config MYDOMAIN:backend = ad
        idmap config MYDOMAIN:schema_mode = rfc2307
        idmap config MYDOMAIN:range = 4000-99999
#I'm gonna remove enum users/groups as recommended
         winbind enum users = yes
         winbind enum groups = yes
         winbind nested groups = yes
         winbind expand groups = 5
#i'm gonna remove this one too to avoid confusion
         winbind use default domain = yes
         winbind nss info = rfc2307
         vfs objects = acl_xattr
         map acl inherit = yes
         admin users = "@MYDOMAIN\Domain Admins","@MYDOMAIN\Enterprise 
         store dos attributes = yes

         path = /home/shares/SOMESHARE1/
         read only = no

         path = /home/shares/SOMESHARE2/
         read only = no
         path = /home/shares/SOMESHARE10/
         read only = no

Correct me please if I'm wrong, but:
idmap = AD
means that winbind on the samba 4 domain member, when idmapping domain 
users looks at:
attributes set in AD for this users when mapping windows - to - unix 
users? At least these values i'm getting from samba 4 domain member when 
using getent for domain users and these values can be viewed when 
looking at files from unix perspective.
At first I thought, that setting those values for machine accounts, as 
long as they're in range of the MYDOMAIN:range should be enough, but I 
was unable to make it work, I'm getting access denied.

Since changing from idmap = ad to idmap = rid fixes everything it leads 
me to believe some other attribute is checked by winbindd when doing 
domain-to-local user mappings.

More information about the samba mailing list