[Samba] Sample smb.conf for ADs authentication

Rowland Penny rpenny at samba.org
Fri Dec 14 21:15:02 UTC 2018 

On Fri, 14 Dec 2018 15:27:27 -0500
Gilbert Soucy <gsoucy at 36pix.com> wrote:

> Wow, we made some good progress. We can see the users and actually
> mount a share on windows. Only issue: the uids and guids are wrong.
> This is because of the backend : rip, I suppose.
> 
> >Try adding 'winbind use default domain = yes'
> >Restart Samba and then try it like this:
> >
> > getent passwd t3500
> 
> That did not help.
> 
> >If that doesn't work, change your 'idmap config' lines to these:
> >
> >      idmap config * : backend = tdb
> >       idmap config * : range = 3000-7999
> >       idmap config DOMAIN:backend = *rid*
> >      idmap config DOMAIN:range = 10000-999999
> 
> The rid helped:
> 
> [root at server samba]# id DOMAIN\\user
> uid=1611(DOMAIN\user) gid=1013(DOMAIN\domain users)
> groups=1013(DOMAIN\domain
> users),1611(DOMAIN\gsoucy),1610(DOMAIN\sudoers),3104(DOMAIN\@dmin),1607(DOMAIN\test),1620(DOMAIN\labtest),1621(DOMAIN),1622(DOMAIN\lab)
> 
> but the ids are not what we wrote as uids and guids in the AD
> interface (windows).
> 
> Nevertheless encouraging. Any idea on why the *ad* back end does not
> work ?

As I said, it was only a test, it shows that there is connectivity to
your AD DC, but the ID's are not what I expected.

The 'rid' backend works by calculating the ID from the user or group RID
It use this formula:

ID = RID - BASE_RID + LOW_RANGE_ID

The 'BASE_RID' defaults to '0', so it becomes:

ID = RID + LOW_RANGE_ID

The 'LOW_RANGE' is what is set in smb.conf:

ID = RID - BASE_RID + 10000

So all the users and groups should be '10000' or above.

Did you restart Samba and also run 'net cache flush'

For the 'ad' winbind backend to work, your users MUST have a uidNumber
attribute containing a unique number inside the range you have set for
the 'DOMAIN' in smb.conf (10000-999999). 

The users primary group MUST also have a gidNumber containing a number
inside the same range. 

This means that unless you have 'idmap config DOMAIN:unix_primary_group
= yes' set in smb.conf (only from Samba 4.6.0), you MUST give Domain
Users a gidNumber. 

If you do have the line and are using Samba >= 4.6.0, you must give the
user a gidNumber attribute containing the gidNumber of the group that
you require to be the users Unix primary group, if you do not add the
users gidNumber attribute, it falls back to Domain Users, so again,
this must have a gidNumber.

Rowland

More information about the samba mailing list