[Samba] Samba AD-DC idmap config

Rowland penny rpenny at samba.org
Fri Oct 18 15:20:25 UTC 2019

On 18/10/2019 15:30, John Redmond wrote:
> Rowland - After re-reading wiki.samba.org/index.php/Idmap_config_ad 
> <http://wiki.samba.org/index.php/Idmap_config_ad>, I have these 
> questions (FYI, the contents of my smb.conf and nsswitch.conf files 
> are provided below) :
>   * Running "sudo getent passwd" on the fileserver, I see the range of
>     local users and groups  (non-AD users & groups) is 0 - 65534. So
>     to accommodate the uid and gid range of the local users on the
>     file server, I set "idmap config * : range = 0-99999".  Am I
>     interpreting things correctly?  (See smb.conf below.)
You do not seem to have read this:


If you had, you would have realised that 0-999 is reserved for local 
Unix system users & groups, you then need to leave space for any local 
users & groups, then there are the Well Known SIDS, finally you have AD 
users & groups.

All of this means that your range isn't really a good one,

>   * Using Windows ADUC to manage AD on the DC, I've set 'Domain Users'
>     gidNumber to 100000.
I normally use a range starting at '10000' (which is where ADUC normally 
started from)
>   * To manage the access of AD default security groups, I want to give
>     them gidNumbers as well, so I'm going to reserve the bottom end of
>     the SAMDOM idmap range (e.g. < 100100) for those gidNumbers.  Is
>     that logic sound?
No, most (if not all) of the other default AD users & groups (aka Well 
Known SIDs) should not be given a uidNumber or gidNumber attribute.
>   * Using Windows ADUC, how do I add users to more than one group?  Do
>     I list multiple groups in the user's gidNumber field (comma
>     separated?)?  Or do I add them via memberUid field of the group
>     (comma separated?)?
Neither. I think you are misunderstanding things, when you give a user a 
uidNumber or give a group a gidNumber, then (provided a Unix domain 
member is set up correctly) they become Unix users and groups.

You just add the user to a Windows group as normal (for Windows), then 
provided the user has a uidNumber and the group has a gidNumber, 
everything will just work.

>   * Are domain users automagically added to 'Domain Users' when they
>     are created?
Yes, all AD users are members of the Domain Users group, even if it 
doesn't show anywhere in AD.
>   * After creating a domain user, I have to use ADUC to set the new
>     user's undefined uidNumber and gidNumber fields. For example
>     uidNumber = 100100 and gidNumber = 100100. Should I also add new
>     users to the Domain Users group (100000)?
It really looks like you do not understand AD and Samba. I think you 
think that you can have a Unix personal group (e.g. the AD user 'fred' 
could have a personal group called 'fred'), sorry but this isn't 
allowed. Also, as I said, all users are members of Domain Users.
>   * Currently, running "wbinfo -u" and "wbinfo -g" on the file server
>     lists AD users and groups.
This only shows that the users & groups exist in AD, this does not mean 
that they are known to Unix, this is where Samba comes in.

>   * However, "sudo getent passwd" and "sudo getent group" finds no
>     domain users or groups.  Any ideas what's wrong?

The computer is not joined to the domain.

The Domain Users does not have a gidNumber attribute inside the 'DOMAIN' 
range you have set in the Unix domain member smb.conf

The user does not have a uidNumber attribute containing a unique number 
inside the 'DOMAIN' range.

The group does not have a gidNumber attribute containing a unique number 
inside the 'DOMAIN' range.

>   * When I join the fileserver to the domain, why does it come back
>     with the error, "No DNS domain configured for fsvr0. Unable to
>     perform DNS Update.
>     DNS update failed: NT_STATUS_INVALID_PARAMETER"?  I can ignore it,
>     right?
Offhand, it sounds like a misconfigured /etc/hosts
> FYI, the principal sources of my info and confusion are:
>   * wiki.samba.org <http://wiki.samba.org>
>   * www.tecmint.com/join-ubuntu-to-active-directory-domain-member-samba-winbind/
>     <http://www.tecmint.com/join-ubuntu-to-active-directory-domain-member-samba-winbind/>
>   * www.server-world.info <http://www.server-world.info>
>   * help.ubuntu.com/lts/serverguide
>     <http://help.ubuntu.com/lts/serverguide>
> Thanks again!
> John
> # /etc/samba/smb.conf
> [global]
>    workgroup = SAMDOM
>    password server = dc0.samdom.example.com 
> <http://dc0.samdom.example.com>
Remove the 'password server' line, you should allow Samba to find the 
best DC
>    security = ADS
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    idmap config * : backend = tbd
>    idmap config * : range = 2000-9999
>    idmap config SAMDOM : backend = ad
>    idmap config SAMDOM : schema_mode = rfc2307
>    idmap config SAMDOM : range = 100000-999999
>    idmap_ldb : use rfc2307 =  yes
The last line is only used on a DC
>    template homedir = /home/samdom.example.com/profiles/%U 
> <http://samdom.example.com/profiles/%U>
Most people would use 'SAMDOM' instead (and this the default)
>    template shell = /bin/bash
>    winbind refresh tickets = yes
>    winbind use default domain = true
>    winbind offline logon = yes
>    winbind nss info = rfc2307
>    winbind enum users = yes
>    winbind enum groups = yes
The last two lines just slow things down and are not required
>    domain master = no
>    local master = no
>    preferred master = no
>    os level = 20
>    map to guest = bad user
>    host msdfs = no
>    vfs objects = acl_xattr
>    map acl inherit = yes
>    store dos attributes = yes
>    server string = %h server (Samba, Ubuntu)
>    dns proxy = no
> # /etc/nsswitch.conf
> passwd:         compat systemd winbind
> group:          compat systemd winbind
> shadow:         compat winbind

Wrong, should be:

passwd:         compat winbind systemd
group:          compat winbind systemd
shadow:         compat


More information about the samba mailing list