[Samba] rid backed not working

Rowland penny rpenny at samba.org
Wed Oct 23 16:23:57 UTC 2019 

On 23/10/2019 16:49, Leszek Gubernat via samba wrote:
> Hi All,
> I'd like start using 'rid' idmap backed rather than 'tdb' on my member 
> servers to keep gidNumbers in sync across the realm INCLUDING the DC. 

You cannot, A DC uses idmap.ldb to store xidNumbers (which are in the 
3000000 range), you cannot use the 'rid' or 'ad' backend on a DC.

On a Unix domain member the 'rid' backend calculates the user or group 
ID from the objects RID and the DOMAIN low range.

If you want the same IDs everywhere you must add uidNumber & gidNumber 
attributes to AD and use the 'ad' backend on all Unix domain members.

> Problem is when I execute
> member1# getent group "MPD1\group1"
> I get no output. The gidNumbers fall within the range of 30000-60000.
> pestparm passes nicely. No erros logged whilst executing getent.
> Could anyone point me in the right direction? Thank you.
This is strange, from your smb.conf below, you are using the 'rid' 
backend, so it should work.
>
>
> ADDC:
> Gentoo hardened; kernel 4.9
> Samba 4.5.15 (installed from the distribution)
>
> addc /etc/samba/smb.conf
> # Global parameters
> [global]
>         server role check:inhibit=yes
>         dsdb:schema update allowed = yes
>         netbios name = ACDC
>         realm = SOME.REA.LM
>         workgroup = DOMAIN
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         ldap server require strong auth = no
>         unix extensions = no
>         security = user
Remove the 'security' line
>         dns forwarder = 1.2.3.4
>         allow dns updates = nonsecure
>         log level = 1
>         log file = /var/log/samba/log.%m
>     ntp signd socket directory = /var/lib/samba/ntp_signd
>     time server = yes
Of course it's a time server, it is a DC
>
>
>
>
> member1:
> Gentoo hardened 2018; kernel 4.17
> Samba 4.11.0 compiled:
> ./configure --prefix=/usr/local/samba --disable-cups --disable-iprint 
> --without-ad-dc
>
>
>
> memeber1 /etc/samba/smb.conf
> [global]
>         netbios name = member1
>         realm = SOME.REA.LM
>         workgroup = DOMAIN
>         security = ADS
>         log level = 2
>         max log size = 50000
>         log file = /var/log/samba/log.%m
>         idmap config * : backend = tdb
>         idmap config * : range = 20000-25000
>         idmap config MPD1 : backend = rid
>         idmap config MPD1 : range = 30000-60000
>
I take it that 'DOMAIN' is actually 'MPD1'
>
>
>
> member1 /etc/nsswitch.conf
> passwd:      compat files winbind
> shadow:      compat files
> group:       compat files winbind
'compat' and 'files' are the same thing
>
> hosts:       files dns
> networks:    files dns
>
> services:    db files
> protocols:   db files
> rpc:         db files
> ethers:      db files
> netmasks:    files
> netgroup:    files
> bootparams:  files
>
> automount:   files
> aliases:     files
>
>
> lrwxrwxrwx 1 root root 26 Oct 10 14:33 /lib64/libnss_winbind.so -> 
> /lib64/libnss_winbind.so.2
> lrwxrwxrwx 1 root root 40 Oct 10 14:32 /lib64/libnss_winbind.so.2 -> 
> /usr/local/samba/lib/libnss_winbind.so.2
>
>
Is PAM installed ? (I am not a gentoo user)

Rowland

More information about the samba mailing list