[Samba] Samba AD-DC idmap config

Rowland penny rpenny at samba.org
Mon Oct 21 13:33:51 UTC 2019


On 21/10/2019 14:17, John Redmond wrote:
> I took the weekend off...
>
> This morning, I made the smb.conf change to backend = rid and 
> commented schema_mode statement.  I also added 'winbind enum' users 
> and groups lines.  I rebooted and rejoined fileserver to domain 
> without error:
>
>     _admin at fsvr0:~$ sudo net rpc join -U Administrator_
>     Enter Administrator's password:
>     Using short domain name -- SAMDOM
>     Joined 'FSVR0' to realm 'samdom.example.com
>     <http://samdom.example.com>'
>
> Unfortunately, still, no domain users or groups are returned with the 
> "getent" command.
If you are using the 'rid' backend then this shouldn't happen.
>
> Checking the uidNumbers and gidNumbers in AD, I have the following
>
>     Domain Users group: gidNumber = 10000
>     Administrator:  uidNumber = 10100
>
Remove the uidNumber from Administrator, it shouldn't have one.
>
>     User1 user: uidNumber = 10101
>
>
> I only have a single domain user added to the domain, the only other 
> users and groups are the defaults (including Administrator). And 
> smb.conf has  "idmap  config SAMDOM : range = 10000-19999.

Add a few more users and try 'getent passwd' again. You should also be 
aware that the 'rid' backend does not use the uidNumber and gidNumber 
attributes, it calculates the Unix ID from the objects RID and the lower 
part of the range set in smb.conf, in your case:

ID = RID + 10000

So for the ONLY user you have at present (Administrator), this would become:

ID = 500 + 10000

ID = 10500

You could be hitting the 'cache' problem, winbind caches everything and 
will use the cache before anything else (unless it has expired), so try 
running 'net cache flush' before running 'getent'

Rowland


>
> Thanks.
>
> John
>
>
>
>
> On Sat, Oct 19, 2019 at 4:00 AM Rowland penny via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
>     On 18/10/2019 22:54, John Redmond wrote:
>     > One step forward with respect to the fileserver configs. Good news
>     > first...
>     >
>     >   * Netplan:  The symlink  /etc/resolv.conf to
>     >     /run/systemd/resolve/stub-resolv.conf was wrong.  It now goes to
>     >     /run/systemd/resolve/resolv.conf.  And
>     >
>     >     _admin at fsvr0:/etc$ nslookup dc0.lan.lenkin.com
>     <http://dc0.lan.lenkin.com>
>     >     <http://dc0.lan.lenkin.com>_
>     >
>     >         Server:         10.199.251.10
>     >
>     >         Address:        10.199.251.10#53
>     >
>     >
>     >         Name: dc0.lan.lenkin.com <http://dc0.lan.lenkin.com>
>     <http://dc0.lan.lenkin.com>
>     >
>     >         Address: 10.199.251.10
>     >
>     >     So the command result shows the nameserver is now the DC,
>     instead
>     >     of 127.0.0.53
>     >
>     >   * I changed the fileserver smb.conf and nsswitch.conf files as per
>     >     your suggestions.  No difference with respect to results of
>     >     commands "sudo net ads join -U administrator" (join successful,
>     >     error DNS update failed: NT_STATUS_INVALID_PARAMETER), "getent
>     >     passwd" and "getent groups" (no domain users or groups listed).
>     >
>     OK, lets test the join, run (as root) in a terminal:
>
>     net ads join
>
>     It should return:
>
>     Join is OK
>
>     If that passes, change these lines in smb.conf:
>
>         idmap config SAMDOM : backend = ad
>         idmap config SAMDOM : schema_mode = rfc2307
>
>     To:
>
>         idmap config SAMDOM : backend = rid
>         #idmap config SAMDOM : schema_mode = rfc2307
>
>     Run: net cache flush and restart winbind
>
>     Do you now get a users info with 'getent passwd username' and a
>     groups
>     info with 'getent group groupname' ?
>
>     If so, repeat the procedure, but put the original lines back, you
>     should
>     get output from the two commands again, but with different IDs. If
>     you
>     do not get any output, you need to check the uidNumber & gidNumber
>     attributes in AD.
>
>     Whilst typing this, I began to think 'is he just typing getent
>     passwd',
>     if so, this will not work without the 'winbind enum' lines in
>     smb.conf,
>     that is all they do (apart from slowing things down).
>
>     Rowland
>
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>




More information about the samba mailing list