[Samba] IDMAP behaviour

Rowland Penny rpenny at samba.org
Fri Oct 29 18:30:46 UTC 2021 

On Fri, 2021-10-29 at 20:18 +0200, Pablo Suarez via samba wrote:
> Hi,
> 
> I'm asking help to understand idmap behaviour. First at all, let me
> explain what
> i'm trying to do.
> 
> I'm working in a company with an Active directory (running on a
> Microsoft Windows
> 2012 R2 server) and an OpenLdap (running on a Ubuntu 20 server) for
> Linux
> users. Actually, users have the same account name (linux login =
> sAMAccountName).
> The goal of my project is to setup a Samba server (running on Redhat
> 7.9)
> for both Windows and Linux users. Of course, I want Linux and Windows
> users
> to be able to authenticate using their AD credentials on Samba
> shares, and
> managing permission with an intelligent uid/SID mapping. The security
> share
> access will be done by checking the Linux group (OpenLdap)
> membership.
> Because OpenLdap groups are not present in the Active Directory. It's
> because I'm not adminstrator of the AD whereas I'm on OpenLdap
> server. The
> file system security part will be perform with ACL.
> 
> After reading lot of documentation and different articles (I'm new to
> Samba), I'm not sure to understand it correctly. Here is what I did :
> 
>  - Setting up a working OpenLdap with samba schema for Linux users.
>  - Setting up passthrough OpenLdap authentication with SASL against
> Active
> Directory. This part is working.
>  - Setting up a Samba Server (version 4.10) as a AD domain member
> (security
> = ads), joining the AD domain (MYDOMAIN.DOMAIN.COM) with realm
> command, and
> using the ldap idmap backend with winbind.
> 
> Here is what going on:
> 
>  - using "getent passwd linux_user" works well
>  - using "getent passwd DOMAIN\\ad_user" works well
>  - using "wbinfo -u" works well (all user are corectly listed)
>  - using "wbinfo -g" works well (all groups are corectly listed)
>  - ldap idmap backend does not populate my OpenLdap server correctly.
> In
> factt, it's writting dirrectly into the domain's root dn instead of
> the ou=
> Idmap
>  - using "wbinfo -D DOMAIN -i ad_user" works partially, it retrieves
> SID
> but after I get the following error :
>   failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>   Could not get info for user ad_user
>  - using "wbinfo -D DOMAIN -S AD_USER_SID" does not work, I get the
> following error :
>   failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>   Could not convert sid AD_USER_SID to uid
>  - idmap with winbind doesn't seems to work properly, I though it was
> intend to act as a user mapping and assign the same uid for and AD
> user as
> and OpenLdap user. I start to think I didn't understood right the
> behaviour
> of user mapping.
>  - From a Windows share, I can't access to a simple test share
> whereas the
> permission is set correctly on both smb.conf ("valid user" option)
> and file
> system permission (chown DOMAIN\ad_user /path/share)
> 
> You will find below my smb.conf file :
> 
> [global]
>         security = ads
>         workgroup = MYDOMAIN
>         realm = MYDOMAIN.DOMAIN.COM
>         encrypt passwords = true
>         interfaces = IP.ADD.RR.ESS
>         bind interfaces only = Yes
>         netbios name = SAMBA-NETBIOS-NAME
>         load printers = no
> 
>         passdb backend = ldapsam:ldap://my-ldap.mydomain.domain.com
>         ldap suffix = dc=unixdomain,dc=domain,dc=com
>         ldap user suffix = ou=People
>         ldap group suffix = ou=Group
>         ldap machine suffix = ou=Hosts
>         ldap admin dn = cn=admin,dc=unixdomain,dc=domain,dc=com
>         ldap idmap suffix = "ou=Idmap"
>         # or off if TLS/SSL is not configured
>         #ldap ssl = start tls
>         ldap ssl = off
>         ldap passwd sync = yes
> 
>         Unix Charset = UTF8
> 
>         kerberos method = secrets and keytab
>         template homedir = /home/%U
>         template shell = /bin/bash
>         username map = /etc/samba/users.map
>         idmap config * : range = 5000000-6000000
>         idmap config * : backend = tdb
>         idmap config MYDOMAIN : range = 10000-4000000
>         idmap config MYDOMAIN : backend = ldap
>         idmap config MYDOMAIN : ldap_url = ldap://
> my-ldap.mydomain.domain.com
>         idmap config MYDOMAIN : ldap_base_dn =
> dc=unixdomain,dc=domain,dc=com
>         idmap config MYDOMAIN : ldap_user_dn =
> cn=admin,dc=unixdomain,dc=domain,dc=com
>         idmap config MYDOMAIN : idmap suffix = "ou=Idmap"
>         idmap config MYDOMAIN : default = yes
>         winbind use default domain = yes
>         winbind refresh tickets = yes
>         winbind offline logon = yes
>         winbind enum groups = no
>         winbind expand groups = 1
>         winbind enum users = no
>         log level = 10
>         log file = /var/log/samba/log.%m
> 
> [test]
>         comment = test
>         path = /path/share
>         valid users = DOMAIN\user
>         browseable = Yes
>         read only = No
>         inherit permissions = Yes
>         inherit acls = Yes
> 
> [another_share]
>         comment = another share
>         browsable = Yes
>         read only = No
>         valid users = @unix_group
>         path = /path/anothershare
>         inherit permissions = Yes
>         inherit acls = Yes
>         force group = @unix_group
>         force directory mode = 2771
>         force create mode = 0771
> 
> I'm a little confused about all the configuration, and I'm sure I'm
> doing
> something wrong. I'm even thinking that what I want to do is not
> possible... Anyway, i'm losting my hair trying to get it working.
> 
> Any help would be appreciated!
> 

Before we get deep into this, what do you actually use the openldap
server for ?

Rowland

More information about the samba mailing list