[Samba] IDMAP behaviour
Pablo Suarez
pb.suarez42 at gmail.com
Fri Oct 29 18:18:10 UTC 2021
Hi,
I'm asking help to understand idmap behaviour. First at all, let me
explain what
i'm trying to do.
I'm working in a company with an Active directory (running on a
Microsoft Windows
2012 R2 server) and an OpenLdap (running on a Ubuntu 20 server) for Linux
users. Actually, users have the same account name (linux login =
sAMAccountName).
The goal of my project is to setup a Samba server (running on Redhat 7.9)
for both Windows and Linux users. Of course, I want Linux and Windows users
to be able to authenticate using their AD credentials on Samba shares, and
managing permission with an intelligent uid/SID mapping. The security share
access will be done by checking the Linux group (OpenLdap) membership.
Because OpenLdap groups are not present in the Active Directory. It's
because I'm not adminstrator of the AD whereas I'm on OpenLdap server. The
file system security part will be perform with ACL.
After reading lot of documentation and different articles (I'm new to
Samba), I'm not sure to understand it correctly. Here is what I did :
- Setting up a working OpenLdap with samba schema for Linux users.
- Setting up passthrough OpenLdap authentication with SASL against Active
Directory. This part is working.
- Setting up a Samba Server (version 4.10) as a AD domain member (security
= ads), joining the AD domain (MYDOMAIN.DOMAIN.COM) with realm command, and
using the ldap idmap backend with winbind.
Here is what going on:
- using "getent passwd linux_user" works well
- using "getent passwd DOMAIN\\ad_user" works well
- using "wbinfo -u" works well (all user are corectly listed)
- using "wbinfo -g" works well (all groups are corectly listed)
- ldap idmap backend does not populate my OpenLdap server correctly. In
factt, it's writting dirrectly into the domain's root dn instead of the ou=
Idmap
- using "wbinfo -D DOMAIN -i ad_user" works partially, it retrieves SID
but after I get the following error :
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user ad_user
- using "wbinfo -D DOMAIN -S AD_USER_SID" does not work, I get the
following error :
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid AD_USER_SID to uid
- idmap with winbind doesn't seems to work properly, I though it was
intend to act as a user mapping and assign the same uid for and AD user as
and OpenLdap user. I start to think I didn't understood right the behaviour
of user mapping.
- From a Windows share, I can't access to a simple test share whereas the
permission is set correctly on both smb.conf ("valid user" option) and file
system permission (chown DOMAIN\ad_user /path/share)
You will find below my smb.conf file :
[global]
security = ads
workgroup = MYDOMAIN
realm = MYDOMAIN.DOMAIN.COM
encrypt passwords = true
interfaces = IP.ADD.RR.ESS
bind interfaces only = Yes
netbios name = SAMBA-NETBIOS-NAME
load printers = no
passdb backend = ldapsam:ldap://my-ldap.mydomain.domain.com
ldap suffix = dc=unixdomain,dc=domain,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Hosts
ldap admin dn = cn=admin,dc=unixdomain,dc=domain,dc=com
ldap idmap suffix = "ou=Idmap"
# or off if TLS/SSL is not configured
#ldap ssl = start tls
ldap ssl = off
ldap passwd sync = yes
Unix Charset = UTF8
kerberos method = secrets and keytab
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/users.map
idmap config * : range = 5000000-6000000
idmap config * : backend = tdb
idmap config MYDOMAIN : range = 10000-4000000
idmap config MYDOMAIN : backend = ldap
idmap config MYDOMAIN : ldap_url = ldap://
my-ldap.mydomain.domain.com
idmap config MYDOMAIN : ldap_base_dn =
dc=unixdomain,dc=domain,dc=com
idmap config MYDOMAIN : ldap_user_dn =
cn=admin,dc=unixdomain,dc=domain,dc=com
idmap config MYDOMAIN : idmap suffix = "ou=Idmap"
idmap config MYDOMAIN : default = yes
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind expand groups = 1
winbind enum users = no
log level = 10
log file = /var/log/samba/log.%m
[test]
comment = test
path = /path/share
valid users = DOMAIN\user
browseable = Yes
read only = No
inherit permissions = Yes
inherit acls = Yes
[another_share]
comment = another share
browsable = Yes
read only = No
valid users = @unix_group
path = /path/anothershare
inherit permissions = Yes
inherit acls = Yes
force group = @unix_group
force directory mode = 2771
force create mode = 0771
I'm a little confused about all the configuration, and I'm sure I'm doing
something wrong. I'm even thinking that what I want to do is not
possible... Anyway, i'm losting my hair trying to get it working.
Any help would be appreciated!
Best regards.
More information about the samba
mailing list