[Samba] getent passwd SAMDOM\\demo01 does not work
K. R. Foley
kr at cybsft.com
Tue Nov 9 03:29:09 UTC 2021
On 10/26/21 8:22 AM, L.P.H. van Belle via samba wrote:
>>>> kr
>>> Please post the output of 'testparm -s' run on the Unix
>> domain member
>> [root at cln-files-prod kr]# testparm -s
>> Load smb config files from /usr/local/samba/etc/smb.conf
>> Loaded services file OK.
>> idmap range not specified for domain '*'
>> ERROR: Invalid idmap range for domain *!
>>
>> Server role: ROLE_DOMAIN_MEMBER
>>
>> # Global parameters
>> [global]
>> dedicated keytab file = /etc/krb5.keytab
>> disable spoolss = Yes
>> kerberos method = secrets and keytab
>> load printers = No
>> printcap name = /dev/null
>> realm = LOCAL.SAMDOM.COM
>> security = ADS
>> username map = /usr/local/samba/user.map
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> winbind refresh tickets = Yes
>> winbind use default domain = Yes
>> workgroup = LOCAL
>> idmap config * : backend = tdb
>> map acl inherit = Yes
>> printing = bsd
>> vfs objects = acl_xattr
>>
>>
>> Is the line above "ERROR: Invalid idmap range for domain *!"
>> a problem?
>>
>> Also per request from Louis:
>>
>> [root at ss-prod kr]# getent passwd local\\tech
>> LOCAL\tech:*:3000020:100::/home/LOCAL/tech:/bin/false
>>
>> kr
>>
>
> Thats a bit what i expected to see.. Missing backend settings and system overlapping GID's.
> So this is an migration from PDC to AD im thinking.. (* didnt follow the completely).
>
> Your missing from below link "Choose backend for id mapping in winbindd"
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> And quick link set :
> https://wiki.samba.org/index.php/Idmap_config_rid
>
> Which reflexs to your config with :
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config LOCAL: backend = rid
> idmap config LOCAL: range = 10000-999999
>
> Now, you will be seeing/getting a "small" problem.
>
> The users GID, its 100, thats the linux group.
> Where samba starts with 10000 by default in above example.
>
> That needs a fix and that also involves resetting your ACLs later on.
>
>
> Greetz,
>
> Louis
>
>
I added the lines below to the smb.conf:
idmap config *:backend = tdb
idmap config *:range = 3000-9999
idmap config LOCAL : backend = rid
idmap config LOCAL : range = 10000-999999
This resolved the getent issue with the domain users. However, this
brings up a few questions.
As some of you may have already guessed, I am working on migrating an
old NT4 PDC to AD. That is why the user's GID is a linux group.
Old environment is a linux-based PDC and file server on the same server.
Target environment is separate linux-based AD and linux-based file
server(s). Both of the new servers will be on a new server / AWS
instance. I will be migrating the samba account info from the old PDC
using the guide here
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade).
I will also be migrating the data from the old file server to the new
file server.
So:
1) Is it going to cause a problem to have migrated the domain data from
a linux-based PDC? Would it be advantageous to create new user accounts
instead of migrating?
2) It looks like the rid backend seems to work. I have read the
documentation on the different backends. Is there a downside to using
rid instead of one of the other backends?
Any advice on these questions or pointers to appropriate documentation
will be welcome.
Thanks,
kr
More information about the samba
mailing list