[Samba] idmap config ad: can't resolve domain users' uids

Francesco Malvezzi francesco.malvezzi at unimore.it
Fri Feb 16 11:12:32 UTC 2018 

dear experts,

I would like to setup idmap config ad. I have already the uidNumber
attribute populated on AD.

But there is something very basic wrong with my config:

[global]
	netbios name = ADDC
	realm = EXAMPLE.ORG
	workgroup = EXAMPLEAD
	dns forwarder = #trimmed
	server role = active directory domain controller
	log level = 3
        log file = /var/log/samba/log.%m
        interfaces = eth0, lo
        bind interfaces only = Yes
        tls enabled  = yes
        tls keyfile  = /opt/samba/private/tls/addc.key
        tls certfile = /etc/ssl/certs/addc.pem
        tls cafile   = /etc/ssl/certs/DigiCertCA.crt
	tls verify peer = ca_only
        printcap name = /dev/null
        ldap server require strong auth = allow_sasl_over_tls

	# idmap config for the EXAMPLEAD domain
	idmap config EXAMPLEAD : backend = ad
	idmap config EXAMPLEAD : schema_mode = rfc2307
	idmap config EXAMPLEAD : range = 1005-999999

	idmap config * : backend = tdb
	idmap config * : range = 2000000-3999999
	# Template settings for login shell and home directory
	template shell = /bin/bash
	template homedir = /home/%U

when I try to get the uid from the sid, domain users aren't apparently
in EXAMPLEAD:

francesco at addc:/opt/samba$ ./bin/wbinfo --own-domain
EXAMPLEAD

francesco at addc:/opt/samba$ ./bin/wbinfo -S
S-1-5-21-3239498231-402109693-a-few-numbers-27015
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-3239498231-402109693-a-few-numbers-27015
to uid

(if I'm correct this error doesn't mean user is missing the uidNumber
attribute. It means: user is part of an unknown domain).

moreover, checking config:
francesco at addc:/opt/samba$ ./bin/testparm -v
Load smb config files from /opt/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
ERROR: The idmap range for the domain * (tdb) overlaps with the range of
EXAMMPLEAD (ad)!

Server role: ROLE_ACTIVE_DIRECTORY_DC
[...]

How is it possible * (tdb) and EXAMPLEAD (ad) overlap?

ad range is supposed to be 1005-999999 and it's well disjoint to tdb
range 2000000-3999999.

What am I overseeing?

thank you,

Francesco

More information about the samba mailing list