[Samba] Problem with UID and GID

Rowland penny rpenny at samba.org
Tue Oct 22 15:20:57 UTC 2019 

On 22/10/2019 16:01, Stephen Atkins wrote:
> On 22/10/2019 8:48 a.m., Rowland penny via samba wrote:
>
>> Have you read this:
>>
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File 
>
>
> I have and I thought I set it up correctly.  I followed the 
> idmap_config_ad link to setup my domain member.  But I'm going over it 
> again as I'm sure I missed something.
>
>>>
>>> Let me know if you would like to see any other config files.
>>>
>> Yes, can we see your smb.conf files.
>>
>> It looks like you have given your user a uidNumber attribute, but 
>> haven't  given 'Domain Users' a gidNumber attribute. What OS is this 
>> ? '4' isn't an ID for the 'users' group that I have come across. 
>> Though thinking about it, perhaps the question is, just where have 
>> you set that '4' ?
>
> I had set the Primary GID in the Unix Attributes section for that user 
> to 4 (which I can't remember why I did) but have since changed it to 
> "Domain Admins".  For the Domain Admins group I have set the GID to 
> 10004.
Try setting the gidNumber for 'Domain Users' to '10000'
>
> My smb.conf for the AD DC is:
>
> # Global parameters
> [global]
>         netbios name = DC1
>         realm = AD.MDWAINWRIGHT.CA
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbi$
>         workgroup = AD
>
>         idmap_ldb:use rfc2307 = yes
>
>         template homedir = /home/%D/%U
You do not need the above line, it is the default
> template shell = /bin/bash
This is okay, but only required if your users will log into the DC
> vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
Remove the three lines above, they should not be in a DC smb.conf
>
> [netlogon]
>         path = /var/lib/samba/sysvol/ad.mdwainwright.ca/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
>
> My smb.conf for the fileserver is:
> [global]
>         workgroup = AD
>         realm = AD.MDWAINWRIGHT.CA
>         netbios name = FILESERVER
>         security = ADS
>         dns forwarder = 192.168.1.3
No, you do not have a dns forwarder on a Unix domain member
>
> #       idmap config * : backend = tdb
> #       idmap config *:range = 10000-50000

Interesting, you have commented out something you need (with an 
incorrect range) but you haven't added the required replacements, are 
you using sssd ?

If so, then stop, it isn't supported.

Try adding these lines:

     idmap config *:backend = tdb
     idmap config *:range = 3000-7999
     idmap config AD : backend = ad
     idmap config AD : schema_mode = rfc2307
     idmap config AD : unix_nss_info = yes
     idmap config AD : range = 10000-999999

> idmap_ldb:use rfc2307 = yes
Remove the line above, it is only used on a dC
>
>         winbind use default domain = true
OK
> winbind offline logon = false
>         winbind nss info = rfc2307
>         winbind enum users = yes
>         winbind enum groups = yes
Remove the four lines above, they are not required.
>
>
>         template homedir = /home/%D/%U
>         template shell = /bin/bash
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>
> [shared]
>         path = /mnt/usershares
>         read only = no
>
> [users]
>         path = /home/AD
>         read only = no
>
Rowland

More information about the samba mailing list