[Samba] getent passwd SAMDOM\\demo01 does not work
K. R. Foley
kr at cybsft.com
Tue Nov 9 03:29:09 UTC 2021
On 10/26/21 8:22 AM, L.P.H. van Belle via samba wrote:
>>> Please post the output of 'testparm -s' run on the Unix
>> domain member
>> [root at cln-files-prod kr]# testparm -s
>> Load smb config files from /usr/local/samba/etc/smb.conf
>> Loaded services file OK.
>> idmap range not specified for domain '*'
>> ERROR: Invalid idmap range for domain *!
>> Server role: ROLE_DOMAIN_MEMBER
>> # Global parameters
>> dedicated keytab file = /etc/krb5.keytab
>> disable spoolss = Yes
>> kerberos method = secrets and keytab
>> load printers = No
>> printcap name = /dev/null
>> realm = LOCAL.SAMDOM.COM
>> security = ADS
>> username map = /usr/local/samba/user.map
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> winbind refresh tickets = Yes
>> winbind use default domain = Yes
>> workgroup = LOCAL
>> idmap config * : backend = tdb
>> map acl inherit = Yes
>> printing = bsd
>> vfs objects = acl_xattr
>> Is the line above "ERROR: Invalid idmap range for domain *!"
>> a problem?
>> Also per request from Louis:
>> [root at ss-prod kr]# getent passwd local\\tech
> Thats a bit what i expected to see.. Missing backend settings and system overlapping GID's.
> So this is an migration from PDC to AD im thinking.. (* didnt follow the completely).
> Your missing from below link "Choose backend for id mapping in winbindd"
> And quick link set :
> Which reflexs to your config with :
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config LOCAL: backend = rid
> idmap config LOCAL: range = 10000-999999
> Now, you will be seeing/getting a "small" problem.
> The users GID, its 100, thats the linux group.
> Where samba starts with 10000 by default in above example.
> That needs a fix and that also involves resetting your ACLs later on.
I added the lines below to the smb.conf:
idmap config *:backend = tdb
idmap config *:range = 3000-9999
idmap config LOCAL : backend = rid
idmap config LOCAL : range = 10000-999999
This resolved the getent issue with the domain users. However, this
brings up a few questions.
As some of you may have already guessed, I am working on migrating an
old NT4 PDC to AD. That is why the user's GID is a linux group.
Old environment is a linux-based PDC and file server on the same server.
Target environment is separate linux-based AD and linux-based file
server(s). Both of the new servers will be on a new server / AWS
instance. I will be migrating the samba account info from the old PDC
using the guide here
I will also be migrating the data from the old file server to the new
1) Is it going to cause a problem to have migrated the domain data from
a linux-based PDC? Would it be advantageous to create new user accounts
instead of migrating?
2) It looks like the rid backend seems to work. I have read the
documentation on the different backends. Is there a downside to using
rid instead of one of the other backends?
Any advice on these questions or pointers to appropriate documentation
will be welcome.
More information about the samba