[Samba] security = ads parameter not working in samba 4.9.5
Rowland penny
rpenny at samba.org
Wed Dec 11 14:34:44 UTC 2019
On 11/12/2019 14:10, Sac Isilia wrote:
> Hi Rowland,
>
> The good news is that server is joined to EMEA-MEDIA domain. But I can
> not id my user however SID is returned when I run wbinfo.
>
> root at esmad1apl01:~# wbinfo -t
> checking the trust secret for domain EMEA-MEDIA via RPC calls succeeded
> root at esmad1apl01:~# wbinfo -m
> BUILTIN
> ESMAD1APL01
> EMEA-MEDIA
> INT
> DMZ
> EXPLIDO
> WEST
> RAN
> LATAM
> CC-GLOBAL
> MBSINTL
> GLOBAL
> MEDIA
> AP-MEDIA
> MEDIAGROUP
> PLC-GLOBAL
> ECOMMERA0
> GRUPOALESPORT
> MITCH
> JBCP
> USCONCEPTS
> MCGARRYBOWEN
> AXDEV
> AXTEST
> GRUPOPPR
> MGNTX
> SWIRL-DS
> BI
> CORP
> YMEDIA
> FLOCK
> MERKLE
> root at esmad1apl01:~# id media\\skumar17
> id: 'media\\skumar17': no such user
> root at esmad1apl01:~# wbinfo -n media\\skumar17
> S-1-5-21-781940509-1026920532-2428315864-69799 SID_USER (1)
> root at esmad1apl01:~#
>
So, what I read from this is, your 19 DCs are all in different
workgroups and if you continue to use the winbind 'ad' backend, then you
will need to add an 'idmap config' block for every DOMAIN and use
different ranges for each DOMAIN.
OR
you can remove 'winbind use default domain = yes' and change:
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EMEA-MEDIA : backend = ad
idmap config EMEA-MEDIA : schema_mode = rfc2307
idmap config EMEA-MEDIA : unix_nss_info = yes
idmap config EMEA-MEDIA : range = 16777216-33554431
To:
idmap config * : backend = autorid
idmap config * : range = 10000-9999999
I think you need to fully explain your setup.
Rowland
More information about the samba
mailing list