[Samba] getent passwd SAMDOM\\demo01 does not work
L.P.H. van Belle
belle at bazuin.nl
Tue Nov 9 08:51:05 UTC 2021
> -----Oorspronkelijk bericht-----
> Van: K. R. Foley [mailto:kr at cybsft.com]
> Verzonden: dinsdag 9 november 2021 4:29
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] getent passwd SAMDOM\\demo01 does not work
> On 10/26/21 8:22 AM, L.P.H. van Belle via samba wrote:
> >>>> kr
> >>> Please post the output of 'testparm -s' run on the Unix
> >> domain member
> >> [root at cln-files-prod kr]# testparm -s
> >> Load smb config files from /usr/local/samba/etc/smb.conf
> >> Loaded services file OK.
> >> idmap range not specified for domain '*'
> >> ERROR: Invalid idmap range for domain *!
> >> Server role: ROLE_DOMAIN_MEMBER
> >> # Global parameters
> >> [global]
> >> dedicated keytab file = /etc/krb5.keytab
> >> disable spoolss = Yes
> >> kerberos method = secrets and keytab
> >> load printers = No
> >> printcap name = /dev/null
> >> realm = LOCAL.SAMDOM.COM
> >> security = ADS
> >> username map = /usr/local/samba/user.map
> >> winbind enum groups = Yes
> >> winbind enum users = Yes
> >> winbind refresh tickets = Yes
> >> winbind use default domain = Yes
> >> workgroup = LOCAL
> >> idmap config * : backend = tdb
> >> map acl inherit = Yes
> >> printing = bsd
> >> vfs objects = acl_xattr
> >> Is the line above "ERROR: Invalid idmap range for domain *!"
> >> a problem?
> >> Also per request from Louis:
> >> [root at ss-prod kr]# getent passwd local\\tech
> >> LOCAL\tech:*:3000020:100::/home/LOCAL/tech:/bin/false
> >> kr
> > Thats a bit what i expected to see.. Missing backend
> settings and system overlapping GID's.
> > So this is an migration from PDC to AD im thinking.. (*
> didnt follow the completely).
> > Your missing from below link "Choose backend for id
> mapping in winbindd"
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > And quick link set :
> > https://wiki.samba.org/index.php/Idmap_config_rid
> > Which reflexs to your config with :
> > # Default ID mapping configuration for local BUILTIN accounts
> > # and groups on a domain member. The default (*) domain:
> > # - must not overlap with any domain ID mapping configuration!
> > # - must use a read-write-enabled back end, such as tdb.
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > # - You must set a DOMAIN backend configuration
> > # idmap config for the SAMDOM domain
> > idmap config LOCAL: backend = rid
> > idmap config LOCAL: range = 10000-999999
> > Now, you will be seeing/getting a "small" problem.
> > The users GID, its 100, thats the linux group.
> > Where samba starts with 10000 by default in above example.
> > That needs a fix and that also involves resetting your ACLs
> later on.
> > Greetz,
> > Louis
> I added the lines below to the smb.conf:
> idmap config *:backend = tdb
> idmap config *:range = 3000-9999
> idmap config LOCAL : backend = rid
> idmap config LOCAL : range = 10000-999999
> This resolved the getent issue with the domain users. However, this
> brings up a few questions.
> As some of you may have already guessed, I am working on migrating an
> old NT4 PDC to AD. That is why the user's GID is a linux group.
> Old environment is a linux-based PDC and file server on the
> same server.
> Target environment is separate linux-based AD and linux-based file
> server(s). Both of the new servers will be on a new server / AWS
> instance. I will be migrating the samba account info from the old PDC
> using the guide here
> I will also be migrating the data from the old file server to the new
> file server.
> 1) Is it going to cause a problem to have migrated the domain
> data from
> a linux-based PDC? Would it be advantageous to create new
> user accounts instead of migrating?
Personaly, i did also such a change and i started fresh.
It the network isnt that big that would be my preference.
> 2) It looks like the rid backend seems to work. I have read the
> documentation on the different backends. Is there a downside to using
> rid instead of one of the other backends?
Read the Advantages and Disadvantages on these.
> Any advice on these questions or pointers to appropriate
> documentation will be welcome.
Change as little as possible, use as much defaults and you
can and most will work without any problem.
More information about the samba