[Samba] samba 4 ad member - idmap = ad for machine accounts

Mon Sep 18 12:36:25 UTC 2017

On Mon, 18 Sep 2017 13:57:29 +0200
Kacper Wirski via samba <samba at lists.samba.org> wrote:

> I posted already, but here it is again (it's everythign except it has 
> not 1 but ~10 SOMESHARE, all with exact same config)

Sorry, bad morning

> 
> Full entry from smb.conf:
> 
> [global]
>         netbios name = VS-FILES
>         security = ADS
>         workgroup = MYDOMAIN
>         realm = MYDOMAIN.COM
> 
>         log file = /var/log/samba/%m.log
>         log level = 1
> 
> 
>         idmap config *:backend = tdb
>         idmap config *:range = 100-2000
> 
>         # idmap config for domain MYDOMAIN
>         idmap config MYDOMAIN:backend = ad
>         idmap config MYDOMAIN:schema_mode = rfc2307
>         idmap config MYDOMAIN:range = 4000-99999
> #I'm gonna remove enum users/groups as recommended
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind nested groups = yes
>          winbind expand groups = 5
> #i'm gonna remove this one too to avoid confusion
>          winbind use default domain = yes
>          winbind nss info = rfc2307
>          vfs objects = acl_xattr
>          map acl inherit = yes
>          admin users = "@MYDOMAIN\Domain
> Admins","@MYDOMAIN\Enterprise Admins"
>          store dos attributes = yes
> 
> [SOMESHARE1]
>          path = /home/shares/SOMESHARE1/
>          read only = no
> 
> [SOMESHARE2]
>          path = /home/shares/SOMESHARE2/
>          read only = no
> ......
> [SOMESHARE10]
>          path = /home/shares/SOMESHARE10/
>          read only = no
> 
> 
> .............
> Correct me please if I'm wrong, but:
> idmap = AD
> means that winbind on the samba 4 domain member, when idmapping
> domain users looks at:
> gidNumber
> uidNumber
> attributes set in AD for this users when mapping windows - to - unix 
> users? At least these values i'm getting from samba 4 domain member
> when using getent for domain users and these values can be viewed
> when looking at files from unix perspective.

Yes that is correct

> At first I thought, that setting those values for machine accounts,
> as long as they're in range of the MYDOMAIN:range should be enough,
> but I was unable to make it work, I'm getting access denied.

OK, this (basically) is how the 'ad' backend works:

if a user has a uidNumber attribute that contains a number that is
inside the 'DOMAIN' range set in smb.conf (in your case 4000-99999)
AND the users primary group has a gidNumber inside the same range,
then that user becomes a Unix user.
This means that Domain Users must have a gidNumber for users to be
shown.
Computers are a bit different, they have a different primary group,
Domain Computers, so this means that this group needs a gidNumberto
make your uidNumber enabled computers known to Unix.

> 
> Since changing from idmap = ad to idmap = rid fixes everything it
> leads me to believe some other attribute is checked by winbindd when
> doing domain-to-local user mappings.
> 

No, using the 'ad' backend means the RFC2307 attributes are used, using
the 'rid' backend means they are ignored and the IDs are calculated
from the RID.

I think Louis needs to comment here, he seems to know all about using
'SYSTEM'.

Rowland