[Samba] idmap backend ad well-known-sids 512 & 513

Rowland Penny rpenny at samba.org
Wed Feb 13 16:18:15 UTC 2019

On Wed, 13 Feb 2019 16:23:10 +0100
Kai Noetzel via samba <samba at lists.samba.org> wrote:

> Hi,
> we are in the process of testing a migration from our NT Classic
> Domain with OpenLdap to Samba AD.
> In our test setup migration of all accounts, groups and computer 
> accounts went well using the classicupgrade path.
> Next step now is testing how to add a member server for file server 
> services.
> We were able to get the server to join the domain and also idmapping 
> works mostly as expected.
> If we use getent group everything works as expected and we get the 
> correct group with the correct GID:
> root at fileserv2:~# getent group SOMEDOM\\stas
> SOMEDOM\stas:x:10165:
> We can use getent passwd and wbinfo -i fine for all our ldap created 
> users and get the correct UID/GID if we are using the config:
> idmap config SOMEDOM:unix_primary_group = yes

Have you got any Windows machines ?
I ask this because using 'idmap config SOMEDOM:unix_primary_group =
yes' only works locally on the Unix computers, if you connect via
Samba, 'Domain Users' WILL be used.

> root at fileserv2:~# getent passwd SOMEDOM\\test.zweimal
> SOMEDOM\test.zweimal:*:10409:10000::/home/test.zweimal:/bin/false
> root at fileserv2:~# wbinfo -i SOMEDOM\\test.zweimal
> SOMEDOM\test.zweimal:*:10409:10000::/home/test.zweimal:/bin/false
> 10000 is the default GID we were using in ldap for all of our users.

Funny so is mine, but my group is Domain Users.

> If we remove this line we won't get any output as the primary group
> then will be 513 which is the default windows sid for "Domain Users"
> and as the mapping only starts at 10000 there is no mapping to find
> for winbind.

Ah, this was one of those ideas that was thought to be a good idea
once, 'Lets use the RID for the gidNumber', time has shown this was a
bad idea ;-)

> So far so good and we can live perfectly having the line above in our 
> config to make this work. But we still cannot get the info for
> "Domain Users" & "Domain Admins" as they still have the SID 513 & 512.
> If we change the groups GID in AD using the ADUC tool to 10513 &
> 10512 we are able to get the info out of wbinfo & getent passwd but I
> guess this is not the way to do it properly?

It is actually, either that or set the lower DOMAIN range to '500', the
problem with that, you cannot have ANY local Unix users & groups.

> root at fileserv2:~# getent group "SOMEDOM\\Domain Users"
> SOMEDOM\domain users:x:10513:
> root at fileserv2:~# getent group SOMEDOM\\Domain Admins"
> SOMEDOM\domain admins:x:10512:
> Can someone shed some light on this or maybe I just have some kind of 
> misunderstanding of the concept. The RID backend will not be an
> option for us as we will have multiple domains we need to trust and
> as far as i understood this is not possible with RID.

It is actually, you set the different domains to have different ranges.

> The following smb.conf is used on the member server:
> [global]
>    netbios name = FILESERV2
>    workgroup = SOMEDOM
>    security = ADS
>    realm = AD.SOMEDOM.COM
>    idmap config *:backend = tdb
>    idmap config *:range = 3000-7999
>    idmap config SOMEDOM:backend = ad
>    idmap config SOMEDOM:schema_mode = rfc2307
>    idmap config SOMEDOM:range = 10000-999999
>    idmap config SOMEDOM:unix_nss_info = yes
>    idmap config SOMEDOM:unix_primary_group = yes

I see you read the wiki ;-)
>    winbind enum users = yes
>    winbind enum groups = yes

Once you are sure everything is running OK, remove the two lines above.


More information about the samba mailing list