[Samba] getent passwd SAMDOM\\demo01 does not work
L.P.H. van Belle
belle at bazuin.nl
Tue Oct 26 13:22:17 UTC 2021
> >> kr
> > Please post the output of 'testparm -s' run on the Unix
> domain member
> [root at cln-files-prod kr]# testparm -s
> Load smb config files from /usr/local/samba/etc/smb.conf
> Loaded services file OK.
> idmap range not specified for domain '*'
> ERROR: Invalid idmap range for domain *!
>
> Server role: ROLE_DOMAIN_MEMBER
>
> # Global parameters
> [global]
> dedicated keytab file = /etc/krb5.keytab
> disable spoolss = Yes
> kerberos method = secrets and keytab
> load printers = No
> printcap name = /dev/null
> realm = LOCAL.SAMDOM.COM
> security = ADS
> username map = /usr/local/samba/user.map
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = LOCAL
> idmap config * : backend = tdb
> map acl inherit = Yes
> printing = bsd
> vfs objects = acl_xattr
>
>
> Is the line above "ERROR: Invalid idmap range for domain *!"
> a problem?
>
> Also per request from Louis:
>
> [root at ss-prod kr]# getent passwd local\\tech
> LOCAL\tech:*:3000020:100::/home/LOCAL/tech:/bin/false
>
> kr
>
Thats a bit what i expected to see.. Missing backend settings and system overlapping GID's.
So this is an migration from PDC to AD im thinking.. (* didnt follow the completely).
Your missing from below link "Choose backend for id mapping in winbindd"
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
And quick link set :
https://wiki.samba.org/index.php/Idmap_config_rid
Which reflexs to your config with :
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config LOCAL: backend = rid
idmap config LOCAL: range = 10000-999999
Now, you will be seeing/getting a "small" problem.
The users GID, its 100, thats the linux group.
Where samba starts with 10000 by default in above example.
That needs a fix and that also involves resetting your ACLs later on.
Greetz,
Louis
More information about the samba
mailing list