[Samba] idmap backend ad well-known-sids 512 & 513

Kai Noetzel sambamigration at proclima.com
Wed Feb 13 15:23:10 UTC 2019 

Hi,

we are in the process of testing a migration from our NT Classic Domain 
with OpenLdap to Samba AD.

In our test setup migration of all accounts, groups and computer 
accounts went well using the classicupgrade path.
Next step now is testing how to add a member server for file server 
services.

We were able to get the server to join the domain and also idmapping 
works mostly as expected.

If we use getent group everything works as expected and we get the 
correct group with the correct GID:

root at fileserv2:~# getent group SOMEDOM\\stas
SOMEDOM\stas:x:10165:

We can use getent passwd and wbinfo -i fine for all our ldap created 
users and get the correct UID/GID if we are using the config:
idmap config SOMEDOM:unix_primary_group = yes

root at fileserv2:~# getent passwd SOMEDOM\\test.zweimal
SOMEDOM\test.zweimal:*:10409:10000::/home/test.zweimal:/bin/false
root at fileserv2:~# wbinfo -i SOMEDOM\\test.zweimal
SOMEDOM\test.zweimal:*:10409:10000::/home/test.zweimal:/bin/false

10000 is the default GID we were using in ldap for all of our users.

If we remove this line we won't get any output as the primary group then 
will be 513 which is the default windows sid for "Domain Users" and as 
the mapping only starts at 10000 there is no mapping to find for winbind.

So far so good and we can live perfectly having the line above in our 
config to make this work. But we still cannot get the info for "Domain 
Users" & "Domain Admins" as they still have the SID 513 & 512.

If we change the groups GID in AD using the ADUC tool to 10513 & 10512 
we are able to get the info out of wbinfo & getent passwd but I guess 
this is not the way to do it properly?

root at fileserv2:~# getent group "SOMEDOM\\Domain Users"
SOMEDOM\domain users:x:10513:
root at fileserv2:~# getent group SOMEDOM\\Domain Admins"
SOMEDOM\domain admins:x:10512:

Can someone shed some light on this or maybe I just have some kind of 
misunderstanding of the concept. The RID backend will not be an option 
for us as we will have multiple domains we need to trust and as far as i 
understood this is not possible with RID.

The following smb.conf is used on the member server:

[global]
   netbios name = FILESERV2
   workgroup = SOMEDOM
   security = ADS
   realm = AD.SOMEDOM.COM

   idmap config *:backend = tdb
   idmap config *:range = 3000-7999
   idmap config SOMEDOM:backend = ad
   idmap config SOMEDOM:schema_mode = rfc2307
   idmap config SOMEDOM:range = 10000-999999
   idmap config SOMEDOM:unix_nss_info = yes
   idmap config SOMEDOM:unix_primary_group = yes

   winbind enum users = yes
   winbind enum groups = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes

Best,
Kai

More information about the samba mailing list