[Samba] security = ads parameter not working in samba 4.9.5

Rowland penny rpenny at samba.org
Wed Nov 27 12:29:22 UTC 2019 

On 27/11/2019 11:03, Sérgio Basto via samba wrote:
> Sorry I meant man idmap_ad. But checking again man is equal of
> https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man
> page [1]
>   
> Examples don't mention netbios name ... I did [2] which instead use
> workgroup I used netbios name and it is working but still don't know
> why or even if it correct .
You do not need to set 'netbios name', it will be set for you from the 
hostname
>
>
>
> [2]
> [global]
>      netbios name = REPO
>      security = ADS
>      workgroup = SAMDOM
>      realm = SAMDOM.EXAMPLE.COM
>
>      winbind use default domain = yes
>
>      idmap config * : backend = tdb
>      idmap config * : range = 1000000-1999999
>     
>      idmap config REPO : backend = ad
>      idmap config REPO : schema_mode = rfc2307
>      idmap config REPO : range = 10000-999999
>      idmap config REPO : unix_nss_info = yes

You need to use the workgroup name, not the netbios name. There will be 
three domains on your Unix domain member:

BUILTIN : Mostly used for the Well Known SIDs

SAMDOM : Your AD domain

REPO : a local domain and not really relevant

>      vfs objects = acl_xattr
>      map acl inherit = yes
>      store dos attributes = yes
>
>      template shell = /bin/false
>      template homedir = /srv/samba/users/%U
>      username map = /var/lib/samba/user.map
>
>
>
> [1]
> EXAMPLES
>         The following example shows how to retrieve idmappings from our
> principal and trusted AD domains. If trusted domains are present id
>         conflicts must be resolved beforehand, there is no guarantee on
> the order conflicting mappings would be resolved at this point.
>         This example also shows how to leave a small non conflicting
> range for local id allocation that may be used in internal backends
>         like BUILTIN.
>
>                  [global]
>                  workgroup = CORP
>
>                  idmap config * : backend = tdb
>                  idmap config * : range = 1000000-1999999
>
>                  idmap config CORP : backend  = ad
>                  idmap config CORP : range = 1000-999999

Rowland

More information about the samba mailing list