[Samba] Samba AD-DC idmap config

John Redmond barkingdoggy at gmail.com
Wed Oct 16 19:37:02 UTC 2019 

Rowland - Thanks.  The idmap lines belong in the file-server domain member,
not the domain controller, right?

Using ADUC on a Windows 10 machine, do you have any guidance on what GIDs
and UIDs (numbers and range) to use in setting the default AD users and
groups?  In setting the  "idmap config * : range= "  in the smb.conf file
on the file server what range should I use?  I assume that is for the
Linux/local users on the file server instead of the domain users.

John

On Wed, Oct 16, 2019 at 11:06 AM John Redmond <barkingdoggy at gmail.com>
wrote:

> Following the guidance here,
> https://wiki.samba.org/index.php/Idmap_config_ad, I added idmap lines to
> my smb.conf file on my Samba 4.7 AD-DC server on Ubuntu 18.04.  Samba no
> longer starts and testparm reports that the idmap ranges for the default *
> domain and the AD domain are overlapping.  Here's my smb.conf file (FWIW,
> if I don't comment security = ADS, server role is set to Member Server):
>
> # Global parameters
> [global]
>         dns forwarder = 8.8.8.8
>         netbios name = DC0
>         realm = SAMDOM.COM
>         server role = active directory domain controller
>         workgroup = SAMDOM
> # Global parameters from
> https://wiki.samba.org/index.php/Idmap_config_ad#Advantages_and_Disadvantages_of_the_ad_Back_End
> #       security = ADS
>         log file = /var/log/samba/%m.log
>         log level = 1
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
>         idmap config LAN:backend = ad
>         idmap config LAN:schema_mode = rfc2307
>         idmap config LAN:range = 10000-999999
>         idmap config LAN:unix_nss_info = yes
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>
> [netlogon]
>         path = /var/lib/samba/sysvol/lsamdom.com/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> End of file.
>
> I'm try to get this working in order to be able to implement a Samba file
> server joined to the domain, which AD users will access with winbind.
>
> Thanks.
>

More information about the samba mailing list