[Samba] Samba AD-DC idmap config

Rowland penny rpenny at samba.org
Wed Oct 16 15:14:57 UTC 2019


On 16/10/2019 16:06, John Redmond via samba wrote:
> Following the guidance here,
> https://wiki.samba.org/index.php/Idmap_config_ad, I added idmap lines to my
> smb.conf file on my Samba 4.7 AD-DC server on Ubuntu 18.04.  Samba no
> longer starts and testparm reports that the idmap ranges for the default *
> domain and the AD domain are overlapping.  Here's my smb.conf file (FWIW,
> if I don't comment security = ADS, server role is set to Member Server):
>
I take it you missed this warning near the top of that page:

ID mapping back ends are not supported in the |smb.conf| file on a Samba 
Active Directory (AD) domain controller (DC).

You need to remove ALL these lines, they DO NOT work on a DC:

# Global parameters from
https://wiki.samba.org/index.php/Idmap_config_ad#Advantages_and_Disadvantages_of_the_ad_Back_End
#       security = ADS
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
         idmap config LAN:backend = ad
         idmap config LAN:schema_mode = rfc2307
         idmap config LAN:range = 10000-999999
         idmap config LAN:unix_nss_info = yes
         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes

It sounds like you need to read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland





More information about the samba mailing list