[Samba] getent passwd SAMDOM\\demo01 does not work

L.P.H. van Belle belle at bazuin.nl
Tue Nov 9 08:51:05 UTC 2021 

 

> -----Oorspronkelijk bericht-----
> Van: K. R. Foley [mailto:kr at cybsft.com] 
> Verzonden: dinsdag 9 november 2021 4:29
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] getent passwd SAMDOM\\demo01 does not work
> 
> 
> On 10/26/21 8:22 AM, L.P.H. van Belle via samba wrote:
> >>>> kr
> >>> Please post the output of 'testparm -s' run on the Unix
> >> domain member
> >> [root at cln-files-prod kr]# testparm -s
> >> Load smb config files from /usr/local/samba/etc/smb.conf
> >> Loaded services file OK.
> >> idmap range not specified for domain '*'
> >> ERROR: Invalid idmap range for domain *!
> >>
> >> Server role: ROLE_DOMAIN_MEMBER
> >>
> >> # Global parameters
> >> [global]
> >>       dedicated keytab file = /etc/krb5.keytab
> >>       disable spoolss = Yes
> >>       kerberos method = secrets and keytab
> >>       load printers = No
> >>       printcap name = /dev/null
> >>       realm = LOCAL.SAMDOM.COM
> >>       security = ADS
> >>       username map = /usr/local/samba/user.map
> >>       winbind enum groups = Yes
> >>       winbind enum users = Yes
> >>       winbind refresh tickets = Yes
> >>       winbind use default domain = Yes
> >>       workgroup = LOCAL
> >>       idmap config * : backend = tdb
> >>       map acl inherit = Yes
> >>       printing = bsd
> >>       vfs objects = acl_xattr
> >>
> >>
> >> Is the line above "ERROR: Invalid idmap range for domain *!"
> >> a problem?
> >>
> >> Also per request from Louis:
> >>
> >> [root at ss-prod kr]# getent passwd local\\tech
> >> LOCAL\tech:*:3000020:100::/home/LOCAL/tech:/bin/false
> >>
> >> kr
> >>
> >
> > Thats a bit what i expected to see..  Missing backend 
> settings and system overlapping GID's.
> > So this is an migration from PDC to AD im thinking.. (* 
> didnt follow the completely).
> >
> > Your missing from below link  "Choose backend for id 
> mapping in winbindd"
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > And quick link set :
> > https://wiki.samba.org/index.php/Idmap_config_rid
> >
> > Which reflexs to your config with :
> >
> > # Default ID mapping configuration for local BUILTIN accounts
> > # and groups on a domain member. The default (*) domain:
> > # - must not overlap with any domain ID mapping configuration!
> > # - must use a read-write-enabled back end, such as tdb.
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > # - You must set a DOMAIN backend configuration
> > # idmap config for the SAMDOM domain
> > idmap config LOCAL: backend = rid
> > idmap config LOCAL: range = 10000-999999
> >
> > Now, you will be seeing/getting a "small" problem.
> >
> > The users GID, its 100, thats the linux group.
> > Where samba starts with 10000 by default in above example.
> >
> > That needs a fix and that also involves resetting your ACLs 
> later on.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> I added the lines below to the smb.conf:
> 
>      idmap config *:backend = tdb
>      idmap config *:range = 3000-9999
>      idmap config LOCAL : backend = rid
>      idmap config LOCAL : range = 10000-999999
> 
> This resolved the getent issue with the domain users. However, this 
> brings up a few questions.
> 
> As some of you may have already guessed, I am working on migrating an 
> old NT4 PDC to AD. That is why the user's GID is a linux group.
> 
> Old environment is a linux-based PDC and file server on the 
> same server. 
> Target environment is separate linux-based AD and linux-based file 
> server(s). Both of the new servers will be on a new server / AWS 
> instance. I will be migrating the samba account info from the old PDC 
> using the guide here 
> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_
> to_Samba_AD_(Classic_Upgrade). 
> I will also be migrating the data from the old file server to the new 
> file server.
> 
> So:
> 
> 1) Is it going to cause a problem to have migrated the domain 
> data from 
> a linux-based PDC? Would it be advantageous to create new 
> user accounts instead of migrating?

Personaly, i did also such a change and i started fresh. 
It the network isnt that big that would be my preference.

> 
> 2) It looks like the rid backend seems to work. I have read the 
> documentation on the different backends. Is there a downside to using 
> rid instead of one of the other backends?

https://wiki.samba.org/index.php/Idmap_config_rid 
https://wiki.samba.org/index.php/Idmap_config_ad
https://wiki.samba.org/index.php/Idmap_config_autorid

Read the Advantages and Disadvantages on these. 


> 
> Any advice on these questions or pointers to appropriate 
> documentation will be welcome.

Change as little as possible, use as much defaults and you 
can and most will work without any problem.


> 
> Thanks,

Your welkom.

Greetz, 

Louis

More information about the samba mailing list