[Samba] idmap problems

Rob Mason rob at acasta.co.uk
Wed Jan 2 00:29:07 UTC 2019 

I've spent some time updating, upgrading and generally consolidating an old Samba AD. I've managed to remove a very old unsupported (4.2) Samba AD DC following migration to a  couple of new DC's - that seems to have worked out OK. Workstation logons and GPO's working fine.

I'm now left with one problem after joining a new Samba (4.5.12) member server to the domain for file sharing - the idmaps are inconsistent (I suspect this is a remnant from how the old DC was originally built). This is giving me problems setting up file shares.

[global]
        workgroup = SAMDOM
        realm = SAMDOM.INTRA
        netbios name = FILESERVER
        security = ADS
        dns forwarder = 192.168.200.1
        winbind nss info = rfc2307
        idmap config * : backend = tdb
        idmap config * : range = 3000-5900
        idmap config SAMDOM:backend = ad
        idmap config SAMDOM:schema_mode = rfc2307
        idmap config SAMDOM:range = 6000-9999999
        template homedir = /home/%U
        template shell = /bin/bash
        winbind use default domain = true
        winbind offline logon = false
        winbind enum users = yes
        winbind enum groups = yes
        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes
        # the user.map contains just one mapping for root-admininstrator
        username map = /etc/samba/user.map
[test123]
        path = /data
        read only = no

My problem is that the builtin accounts and domains accounts are mixed within the same ranges. Domain users appeared to originally start at 30000, with domain groups from 60000. Somewhere along the way, perhaps during upgrade, the idmaps have gotten mixed. As a consequence, I cannot create shares as the member server is not enumerating the builtin accounts (except the group 'domain users' with gid of 60001).

The following output shows the current mapping from the AD DC::

# getent group
root:x:0:
...
BUILTIN\administrators:x:3000000:
BUILTIN\users:x:3000009:
BUILTIN\guests:x:3000005:
BUILTIN\account operators:x:3000037:
BUILTIN\server operators:x:3000001:
BUILTIN\print operators:x:3000038:
BUILTIN\backup operators:x:3000039:
BUILTIN\replicator:x:3000040:
BUILTIN\pre-windows 2000 compatible access:x:3000016:
BUILTIN\remote desktop users:x:3000041:
BUILTIN\network configuration operators:x:3000042:
BUILTIN\incoming forest trust builders:x:3000043:
BUILTIN\performance monitor users:x:3000044:
BUILTIN\performance log users:x:3000045:
BUILTIN\windows authorization access group:x:3000046:
BUILTIN\terminal server license servers:x:3000047:
BUILTIN\distributed com users:x:3000048:
BUILTIN\iis_iusrs:x:3000049:
BUILTIN\cryptographic operators:x:3000050:
BUILTIN\event log readers:x:3000051:
BUILTIN\certificate service dcom access:x:3000052:
SAMDOM\cert publishers:x:3000053:
SAMDOM \ras and ias servers:x:3000054:
SAMDOM \allowed rodc password replication group:x:3000055:
SAMDOM \denied rodc password replication group:x:3000005:
SAMDOM \dnsadmins:x:3000056:
SAMDOM \enterprise read-only domain controllers:x:3000057:
SAMDOM \domain admins:x:3000008:
SAMDOM \domain users:x:60001:
SAMDOM \domain guests:x:3000002:
SAMDOM \domain computers:x:3000018:
SAMDOM \domain controllers:x:3000028:
SAMDOM \schema admins:x:3000007:
SAMDOM \enterprise admins:x:3000006:
SAMDOM \group policy creator owners:x:3000004:
SAMDOM \read-only domain controllers:x:3000058:
SAMDOM \dnsupdateproxy:x:3000059:

# getent passwd
root:x:0:0:root:/root:/bin/bash
...
SAMDOM\administrator:*:0:60001::/home/SAMDOM/administrator:/bin/bash
SAMDOM\guest:*:3000001:60001::/home/SAMDOM/guest:/bin/bash
SAMDOM\krbtgt:*:3000036:60001::/home/SAMDOM/krbtgt:/bin/bash
SAMDOM\user1:*:30002:60001::/home/SAMDOM/user1:/bin/bash
SAMDOM\user2:*:30007:60001::/home/SAMDOM/user2:/bin/bash
SAMDOM\user3:*:30008:60001::/home/SAMDOM/user3:/bin/bash
SAMDOM\user4:*:30009:60001::/home/SAMDOM/user4:/bin/bash
...
...


Now on the member server::

# getent passwd
root:x:0:0:root:/root:/bin/bash
...
user1:*:30009:60001:User1:/home/ user1:/bin/false
user2:*:30008:60001: User1:/home/ user2:/bin/false
user3:*:30002:60001: User1:/home/ user3:/bin/bash
user4:*:30007:60001: User1:/home/ user4:/bin/false

# getent group
root:x:0:
...
domain users:x:60001:

I don't see Domain Admins or other groups and builtin users on the member server. This means I cannot grant Domain admins ownership of directories when I create shares. Does this mean I will have to manually re-map the uid/gid attributes in the AD DC???

Thanks

--
Rob Mason


Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified QGCE013.
Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered 934 6797 75.

More information about the samba mailing list