[Samba] Samba AD-DC idmap config
Rowland penny
rpenny at samba.org
Wed Oct 16 15:14:57 UTC 2019
On 16/10/2019 16:06, John Redmond via samba wrote:
> Following the guidance here,
> https://wiki.samba.org/index.php/Idmap_config_ad, I added idmap lines to my
> smb.conf file on my Samba 4.7 AD-DC server on Ubuntu 18.04. Samba no
> longer starts and testparm reports that the idmap ranges for the default *
> domain and the AD domain are overlapping. Here's my smb.conf file (FWIW,
> if I don't comment security = ADS, server role is set to Member Server):
>
I take it you missed this warning near the top of that page:
ID mapping back ends are not supported in the |smb.conf| file on a Samba
Active Directory (AD) domain controller (DC).
You need to remove ALL these lines, they DO NOT work on a DC:
# Global parameters from
https://wiki.samba.org/index.php/Idmap_config_ad#Advantages_and_Disadvantages_of_the_ad_Back_End
# security = ADS
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config LAN:backend = ad
idmap config LAN:schema_mode = rfc2307
idmap config LAN:range = 10000-999999
idmap config LAN:unix_nss_info = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
It sounds like you need to read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Rowland
More information about the samba
mailing list