[Samba] Samba AD-DC idmap config
Rowland penny
rpenny at samba.org
Fri Oct 18 15:20:25 UTC 2019
On 18/10/2019 15:30, John Redmond wrote:
> Rowland - After re-reading wiki.samba.org/index.php/Idmap_config_ad
> <http://wiki.samba.org/index.php/Idmap_config_ad>, I have these
> questions (FYI, the contents of my smb.conf and nsswitch.conf files
> are provided below) :
>
> * Running "sudo getent passwd" on the fileserver, I see the range of
> local users and groups (non-AD users & groups) is 0 - 65534. So
> to accommodate the uid and gid range of the local users on the
> file server, I set "idmap config * : range = 0-99999". Am I
> interpreting things correctly? (See smb.conf below.)
>
You do not seem to have read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
If you had, you would have realised that 0-999 is reserved for local
Unix system users & groups, you then need to leave space for any local
users & groups, then there are the Well Known SIDS, finally you have AD
users & groups.
All of this means that your range isn't really a good one,
> * Using Windows ADUC to manage AD on the DC, I've set 'Domain Users'
> gidNumber to 100000.
>
I normally use a range starting at '10000' (which is where ADUC normally
started from)
>
> * To manage the access of AD default security groups, I want to give
> them gidNumbers as well, so I'm going to reserve the bottom end of
> the SAMDOM idmap range (e.g. < 100100) for those gidNumbers. Is
> that logic sound?
>
No, most (if not all) of the other default AD users & groups (aka Well
Known SIDs) should not be given a uidNumber or gidNumber attribute.
>
> * Using Windows ADUC, how do I add users to more than one group? Do
> I list multiple groups in the user's gidNumber field (comma
> separated?)? Or do I add them via memberUid field of the group
> (comma separated?)?
>
Neither. I think you are misunderstanding things, when you give a user a
uidNumber or give a group a gidNumber, then (provided a Unix domain
member is set up correctly) they become Unix users and groups.
You just add the user to a Windows group as normal (for Windows), then
provided the user has a uidNumber and the group has a gidNumber,
everything will just work.
> * Are domain users automagically added to 'Domain Users' when they
> are created?
>
Yes, all AD users are members of the Domain Users group, even if it
doesn't show anywhere in AD.
>
> * After creating a domain user, I have to use ADUC to set the new
> user's undefined uidNumber and gidNumber fields. For example
> uidNumber = 100100 and gidNumber = 100100. Should I also add new
> users to the Domain Users group (100000)?
>
It really looks like you do not understand AD and Samba. I think you
think that you can have a Unix personal group (e.g. the AD user 'fred'
could have a personal group called 'fred'), sorry but this isn't
allowed. Also, as I said, all users are members of Domain Users.
>
> * Currently, running "wbinfo -u" and "wbinfo -g" on the file server
> lists AD users and groups.
>
This only shows that the users & groups exist in AD, this does not mean
that they are known to Unix, this is where Samba comes in.
> * However, "sudo getent passwd" and "sudo getent group" finds no
> domain users or groups. Any ideas what's wrong?
>
Either:
The computer is not joined to the domain.
The Domain Users does not have a gidNumber attribute inside the 'DOMAIN'
range you have set in the Unix domain member smb.conf
The user does not have a uidNumber attribute containing a unique number
inside the 'DOMAIN' range.
The group does not have a gidNumber attribute containing a unique number
inside the 'DOMAIN' range.
> * When I join the fileserver to the domain, why does it come back
> with the error, "No DNS domain configured for fsvr0. Unable to
> perform DNS Update.
> DNS update failed: NT_STATUS_INVALID_PARAMETER"? I can ignore it,
> right?
>
Offhand, it sounds like a misconfigured /etc/hosts
> FYI, the principal sources of my info and confusion are:
>
> * wiki.samba.org <http://wiki.samba.org>
> * www.tecmint.com/join-ubuntu-to-active-directory-domain-member-samba-winbind/
> <http://www.tecmint.com/join-ubuntu-to-active-directory-domain-member-samba-winbind/>
> * www.server-world.info <http://www.server-world.info>
> * help.ubuntu.com/lts/serverguide
> <http://help.ubuntu.com/lts/serverguide>
>
> Thanks again!
>
> John
>
> # /etc/samba/smb.conf
> [global]
>
> workgroup = SAMDOM
> password server = dc0.samdom.example.com
> <http://dc0.samdom.example.com>
Remove the 'password server' line, you should allow Samba to find the
best DC
> realm = SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM>
> security = ADS
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> idmap config * : backend = tbd
> idmap config * : range = 2000-9999
> idmap config SAMDOM : backend = ad
> idmap config SAMDOM : schema_mode = rfc2307
> idmap config SAMDOM : range = 100000-999999
> idmap_ldb : use rfc2307 = yes
The last line is only used on a DC
>
> template homedir = /home/samdom.example.com/profiles/%U
> <http://samdom.example.com/profiles/%U>
Most people would use 'SAMDOM' instead (and this the default)
> template shell = /bin/bash
> winbind refresh tickets = yes
> winbind use default domain = true
> winbind offline logon = yes
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
The last two lines just slow things down and are not required
>
> domain master = no
> local master = no
> preferred master = no
> os level = 20
> map to guest = bad user
> host msdfs = no
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> server string = %h server (Samba, Ubuntu)
> dns proxy = no
>
> # /etc/nsswitch.conf
>
> passwd: compat systemd winbind
> group: compat systemd winbind
> shadow: compat winbind
Wrong, should be:
passwd: compat winbind systemd
group: compat winbind systemd
shadow: compat
Rowland
More information about the samba
mailing list