[Samba] idmap config ad: can't resolve domain users' uids
Francesco Malvezzi
francesco.malvezzi at unimore.it
Fri Feb 16 11:12:32 UTC 2018
dear experts,
I would like to setup idmap config ad. I have already the uidNumber
attribute populated on AD.
But there is something very basic wrong with my config:
[global]
netbios name = ADDC
realm = EXAMPLE.ORG
workgroup = EXAMPLEAD
dns forwarder = #trimmed
server role = active directory domain controller
log level = 3
log file = /var/log/samba/log.%m
interfaces = eth0, lo
bind interfaces only = Yes
tls enabled = yes
tls keyfile = /opt/samba/private/tls/addc.key
tls certfile = /etc/ssl/certs/addc.pem
tls cafile = /etc/ssl/certs/DigiCertCA.crt
tls verify peer = ca_only
printcap name = /dev/null
ldap server require strong auth = allow_sasl_over_tls
# idmap config for the EXAMPLEAD domain
idmap config EXAMPLEAD : backend = ad
idmap config EXAMPLEAD : schema_mode = rfc2307
idmap config EXAMPLEAD : range = 1005-999999
idmap config * : backend = tdb
idmap config * : range = 2000000-3999999
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
when I try to get the uid from the sid, domain users aren't apparently
in EXAMPLEAD:
francesco at addc:/opt/samba$ ./bin/wbinfo --own-domain
EXAMPLEAD
francesco at addc:/opt/samba$ ./bin/wbinfo -S
S-1-5-21-3239498231-402109693-a-few-numbers-27015
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-3239498231-402109693-a-few-numbers-27015
to uid
(if I'm correct this error doesn't mean user is missing the uidNumber
attribute. It means: user is part of an unknown domain).
moreover, checking config:
francesco at addc:/opt/samba$ ./bin/testparm -v
Load smb config files from /opt/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
ERROR: The idmap range for the domain * (tdb) overlaps with the range of
EXAMMPLEAD (ad)!
Server role: ROLE_ACTIVE_DIRECTORY_DC
[...]
How is it possible * (tdb) and EXAMPLEAD (ad) overlap?
ad range is supposed to be 1005-999999 and it's well disjoint to tdb
range 2000000-3999999.
What am I overseeing?
thank you,
Francesco
More information about the samba
mailing list