[Samba] Having problem with RID backend - must be missing something

Rowland Penny rpenny at samba.org
Fri Sep 14 08:56:45 UTC 2018

On Thu, 13 Sep 2018 23:41:42 -0400 (EDT)
Rich Webb via samba <samba at lists.samba.org> wrote:

> Greetings, 
> I currently am using Samba 4.8.5 as an AD DC on one server - working
> great! I am also using 4.8.5 on another server joined as a member
> server and I'm trying to configure the RID idmap backend and I
> believe I have the settings correct but when I try to access a share
> on the server from a joined Windows machine I am getting prompted for
> credentials.

What OS ?
If it is debian, do you have libpam_krb5 installed ?


> Another piece to the puzzle is that I had this configured and working
> with the AD backend but I wanted to try to set it up a little simpler
> so that I don't have to select unix attributes every time I create a
> new user.  So due to this some of my users already have the unix
> attributes assigned to them in the AD.  The one that I am testing
> with (that is asking for credentials) does not.  In fact the behavior
> that I am seeing is identical to that of having created a new user
> and forgetting to add the unix attributes.  The result is no access
> to the file server shares.

Having rfc2307 attributes in AD shouldn't affect the way the 'rid'
backend works.

> Some background is that There is only ever going to be one file
> server in this setup and one or two domain controllers but all
> running samba 4.  No network users are ever going to log into the
> linux servers - they will all be Windows users accessing file
> shares.  Samba was compiled from source - only change on the file
> server compile was that I included --without-ad-dc.  
> I tried to follow the wiki on Setting up Samba as a domain member. 

Did you find it easy to understand ?

> I hope I have included enough information for someone to go "Ah Ha!"
> and know exactly what is wrong with my setup here.

Well, No ;-)

there doesn't seem to be anything really wrong, I would use this

   workgroup = CUSTOMER
   security = ADS

   idmap config *:backend = tdb
   idmap config *:range = 3000-7999
   idmap config CUSTOMER:backend = rid
   idmap config CUSTOMER:range = 10000-999999

   winbind use default domain = yes
   winbind refresh tickets = Yes

   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

        writeable = yes
        path = /server/shared

        writeable = yes
        path = /server/adminonly

You only need the kerberos lines if you are going to connect to AD with
something like squid.

What packages did you install to make Samba work ?


More information about the samba mailing list