[Samba] idmap config DOMAIN Not Wroking
Banks, David (db2d)
db2d at virginia.edu
Thu May 30 13:03:43 UTC 2019
So, after reading many samba setup pages I was under the impression that “properly” configuring idmap for an AD domain should look something like this
security = ADS
idmap config * : backend = tdb
idmap config * : range = 10000-50000
# DOMAIN
realm = DOMAIN.COM<http://DOMAIN.COM>
workgroup = DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 100000-500000
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:unix_nss_info = yes
idmap config DOMAIN:default = yes
However, I’ve been wrestling with this for weeks now without success. With these config lines users are not able to log in and wbinfo -i user yields the error
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
If I comment out the domain lines and expand the default range to accommodate the domain range — idmap config * : range 100000-500000 — wbinfo works and users can log in.
My problem: The volumes that make up the shares will be shared from more than one server. With only the default map configured I seem to get server specific mapping. That is when I mount the same volume on another server the filesystem permissions are hosed.
Below is the full smb.conf file. I assume I’m doing something wrong but can’t for the life of me figure out what that is. Has anyone confronted this before?
OS: Ubuntu 18.04
Samba: 4.9.8
Winbind installed
smb.conf (names changed to protect the guilty!)
[global]
# Server
bind interfaces only = yes
server min protocol = SMB2
server string = %h server (Samba, Ubuntu)
allow trusted domains = yes
wins support = no
dns proxy = no
# Authentication
server role = member server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = no
# Domains
# Default
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
security = ADS
idmap config * : backend = tdb
idmap config * : range = 100000-500000
# winbind enum users = yes
# winbind enum groups = yes
winbind nested groups = true
winbind use default domain = yes
winbind refresh tickets = yes
# winbind trusted domains only = yes
winbind nss info = rfc2307
# DOMAIN
realm = DOMAIN.COM<http://DOMAIN.COM>
workgroup = DOMAIN
# idmap config DOMAIN:backend = ad
# idmap config DOMAIN:range = 100000-500000
# idmap config DOMAIN:schema_mode = rfc2307
# idmap config DOMAIN:unix_nss_info = yes
# idmap config DOMAIN:default = yes
# Client
template homedir = /home/%U
template shell = /bin/bash
client signing = yes
client use spnego = yes
client ntlmv2 auth = yes
client ipc min protocol = SMB2
encrypt passwords = true
restrict anonymous = 2
keepalive = 60
deadtime = 10
disable netbios = yes
smb ports = 445
unix extensions = no
# Logging
log level = 10
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
# Includes
# IP Based Include
include = /etc/samba/smb.conf.%i
More information about the samba
mailing list