[Samba] idmap config DOMAIN Not Wroking
Rowland penny
rpenny at samba.org
Thu May 30 19:23:47 UTC 2019
On 30/05/2019 14:03, Banks, David (db2d) via samba wrote:
> So, after reading many samba setup pages I was under the impression that “properly” configuring idmap for an AD domain should look something like this
Did you read these:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Idmap_config_ad
>
> security = ADS
>
> idmap config * : backend = tdb
> idmap config * : range = 10000-50000
>
> # DOMAIN
> realm = DOMAIN.COM<http://DOMAIN.COM>
> workgroup = DOMAIN
> idmap config DOMAIN:backend = ad
> idmap config DOMAIN:range = 100000-500000
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:unix_nss_info = yes
> idmap config DOMAIN:default = yes
>
> However, I’ve been wrestling with this for weeks now without success. With these config lines users are not able to log in and wbinfo -i user yields the error
>
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>
> If I comment out the domain lines and expand the default range to accommodate the domain range — idmap config * : range 100000-500000 — wbinfo works and users can log in.
>
Until I read the last part of the above, I couldn't understand your
problem, everything looked okay apart for the last line 'default = yes'
which doesn't exist. You also have 'unix password sync = yes', you
cannot have local Unix users with the same name in AD, you make AD users
into Unix users.
I think you may have fallen into the common mistake of thinking that
just setting up winbind ad in smb.conf is sufficient, it isn't. You have
to give each user a uidNumber attribute containing a unique number in
the '100000-500000' range. You will also have to give 'Domain Users' a
gidNumber attribute containg a number inside the same range.
Rowland
More information about the samba
mailing list