[Samba] idmap config ad: can't resolve domain users' uids
Francesco Malvezzi
francesco.malvezzi at unimore.it
Fri Feb 16 14:39:53 UTC 2018
>
> Lets see if I can explain it for you ;-)
good!
>
> If you use a DC as a fileserver (by the way, lots of people do not
> recommend doing this),
true. I understand.
>by default users & groups are assigned
> xidNumber attributes in the '3000000' range. These 'xidNumbers' are
> stored in 'idmap.ldb'
got the point: id mapping works different on a AD DC and on a Member server.
> You can override these 'xidNumber' attributes by giving your users a
> unique 'uidNumber' and groups a 'gidNumber'.
I tried to to that, but as I did, it has not been working:
addc:/opt/samba# ./bin/ldbsearch -H ./private/sam.ldb 'cn=bacedifo'
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
# record 1
dn: CN=bacedifo,OU=people,DC=example,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: bacedifo
sn: BACEDIFO
ou: Dipendenti
ou: people
description: Francesco BACEDIFO
givenName: Francesco
instanceType: 4
whenCreated: 20160826181053.0Z
displayName: Francesco BACEDIFO
uSNCreated: 55083
name: bacedifo
objectGUID: e92344b9-eb05-4e4a-8b7d-fc12773e1e0a
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-3239498231-402109693-3067992304-52143
sAMAccountName: bacedifo
sAMAccountType: 805306368
userPrincipalName: bacedifo at example.org
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=org
mail: francesco.bacedifo at example.org
userAccountControl: 512
memberOf: CN=si_admins,OU=examplegroups,DC=example,DC=org
accountExpires: 131651439820000000
pwdLastSet: 131625519833323360
lastLogonTimestamp: 131625621192353740
uidNumber: 41312
loginShell: /bin/mosh
gidNumber: 41312
unixHomeDirectory: /homel/bacedifo
homeDirectory: \\homesrv2.dmz-int.unimo.it\bacedifo
whenChanged: 20180214130711.0Z
uSNChanged: 811421
lastLogon: 131632577629398150
logonCount: 330
distinguishedName: CN=bacedifo,OU=people,DC=example,DC=org
>
> If you want the OS to know who the users and groups are, you will need
> something to extract the data from either 'idmap.ldb' or AD, Samba
> uses the libnss_winbind links, other methods are available.
thank you (actually I should bow in front of you),
Francesco
More information about the samba
mailing list