[Samba] IDMAP behaviour

Pablo Suarez pb.suarez42 at gmail.com
Fri Oct 29 18:18:10 UTC 2021 

Hi,

I'm asking help to understand idmap behaviour. First at all, let me
explain what
i'm trying to do.

I'm working in a company with an Active directory (running on a
Microsoft Windows
2012 R2 server) and an OpenLdap (running on a Ubuntu 20 server) for Linux
users. Actually, users have the same account name (linux login =
sAMAccountName).
The goal of my project is to setup a Samba server (running on Redhat 7.9)
for both Windows and Linux users. Of course, I want Linux and Windows users
to be able to authenticate using their AD credentials on Samba shares, and
managing permission with an intelligent uid/SID mapping. The security share
access will be done by checking the Linux group (OpenLdap) membership.
Because OpenLdap groups are not present in the Active Directory. It's
because I'm not adminstrator of the AD whereas I'm on OpenLdap server. The
file system security part will be perform with ACL.

After reading lot of documentation and different articles (I'm new to
Samba), I'm not sure to understand it correctly. Here is what I did :

 - Setting up a working OpenLdap with samba schema for Linux users.
 - Setting up passthrough OpenLdap authentication with SASL against Active
Directory. This part is working.
 - Setting up a Samba Server (version 4.10) as a AD domain member (security
= ads), joining the AD domain (MYDOMAIN.DOMAIN.COM) with realm command, and
using the ldap idmap backend with winbind.

Here is what going on:

 - using "getent passwd linux_user" works well
 - using "getent passwd DOMAIN\\ad_user" works well
 - using "wbinfo -u" works well (all user are corectly listed)
 - using "wbinfo -g" works well (all groups are corectly listed)
 - ldap idmap backend does not populate my OpenLdap server correctly. In
factt, it's writting dirrectly into the domain's root dn instead of the ou=
Idmap
 - using "wbinfo -D DOMAIN -i ad_user" works partially, it retrieves SID
but after I get the following error :
  failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
  Could not get info for user ad_user
 - using "wbinfo -D DOMAIN -S AD_USER_SID" does not work, I get the
following error :
  failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
  Could not convert sid AD_USER_SID to uid
 - idmap with winbind doesn't seems to work properly, I though it was
intend to act as a user mapping and assign the same uid for and AD user as
and OpenLdap user. I start to think I didn't understood right the behaviour
of user mapping.
 - From a Windows share, I can't access to a simple test share whereas the
permission is set correctly on both smb.conf ("valid user" option) and file
system permission (chown DOMAIN\ad_user /path/share)

You will find below my smb.conf file :

[global]
        security = ads
        workgroup = MYDOMAIN
        realm = MYDOMAIN.DOMAIN.COM
        encrypt passwords = true
        interfaces = IP.ADD.RR.ESS
        bind interfaces only = Yes
        netbios name = SAMBA-NETBIOS-NAME
        load printers = no

        passdb backend = ldapsam:ldap://my-ldap.mydomain.domain.com
        ldap suffix = dc=unixdomain,dc=domain,dc=com
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
        ldap machine suffix = ou=Hosts
        ldap admin dn = cn=admin,dc=unixdomain,dc=domain,dc=com
        ldap idmap suffix = "ou=Idmap"
        # or off if TLS/SSL is not configured
        #ldap ssl = start tls
        ldap ssl = off
        ldap passwd sync = yes

        Unix Charset = UTF8

        kerberos method = secrets and keytab
        template homedir = /home/%U
        template shell = /bin/bash
        username map = /etc/samba/users.map
        idmap config * : range = 5000000-6000000
        idmap config * : backend = tdb
        idmap config MYDOMAIN : range = 10000-4000000
        idmap config MYDOMAIN : backend = ldap
        idmap config MYDOMAIN : ldap_url = ldap://
my-ldap.mydomain.domain.com
        idmap config MYDOMAIN : ldap_base_dn =
dc=unixdomain,dc=domain,dc=com
        idmap config MYDOMAIN : ldap_user_dn =
cn=admin,dc=unixdomain,dc=domain,dc=com
        idmap config MYDOMAIN : idmap suffix = "ou=Idmap"
        idmap config MYDOMAIN : default = yes
        winbind use default domain = yes
        winbind refresh tickets = yes
        winbind offline logon = yes
        winbind enum groups = no
        winbind expand groups = 1
        winbind enum users = no
        log level = 10
        log file = /var/log/samba/log.%m

[test]
        comment = test
        path = /path/share
        valid users = DOMAIN\user
        browseable = Yes
        read only = No
        inherit permissions = Yes
        inherit acls = Yes

[another_share]
        comment = another share
        browsable = Yes
        read only = No
        valid users = @unix_group
        path = /path/anothershare
        inherit permissions = Yes
        inherit acls = Yes
        force group = @unix_group
        force directory mode = 2771
        force create mode = 0771

I'm a little confused about all the configuration, and I'm sure I'm doing
something wrong. I'm even thinking that what I want to do is not
possible... Anyway, i'm losting my hair trying to get it working.

Any help would be appreciated!

Best regards.

More information about the samba mailing list