[Samba] idmap config ad

Rowland Penny rpenny at samba.org
Mon Jan 28 14:27:48 UTC 2019


On Mon, 28 Jan 2019 09:10:58 -0500
Sonic via samba <samba at lists.samba.org> wrote:

> Trying to use the idmap config ad on a domain member. The AD is an
> actual Windows server and when logged in the AD server running ADUC
> the NIS domain field on the UNIX attributes tab only shows a dash and
> is cannot be changed.

Does Domain Users have a gidNumber attribute containing a number
inside the 10000-99999' range ?

Do any Active directory groups have such a gidNumber ?

> 
> Domain member is RHEL 7.6 running Samba 4.8.3.
> 
> Pertinent part of smb.conf:
> =====================================
> [global]
>         security = ADS
>         workgroup = MYDOMAIN
>         realm = MYDOMAIN.LOCAL
>         server string = mydomain
> 
>         kerberos method = secrets and keytab
>         winbind refresh tickets = yes
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-8999
>         idmap config MYDOMAIN : backend = ad
>         idmap config MYDOMAIN : schema_mode = rfc2307
>         idmap config MYDOMAIN : range = 10000-99999
>         idmap config MYDOMAIN : unix_nss_info = yes
> 
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
> =====================================
> 
> The documentation seems to strictly point to using a Samba AD with the
> RSAT utility and here we're logged right on to the Windows AD using
> the native ADUC application.

ADUC is part of RSAT and the Samba 'ad' backend works in the same way
that the Unix Attributes tab dows.

Rowland



More information about the samba mailing list