[Samba] Problem idmap_ad
Rowland Penny
rpenny at samba.org
Wed Dec 14 10:51:11 UTC 2022
On 14/12/2022 10:26, Balke IT via samba wrote:
>> Lets see if I have got this correct:
>
>> Your computer is joined to an AD domain.
>> You have users in AD with uidNumber attributes.
>> Domain Users has a gidNumber attribute.
>> All these '*idNumber' attributes hold numbers inside the '1001-116999'
>> range.
>
>> Is all that correct ?
>
>> can you also post your entire smb.conf
>
>> Rowland
>
> Yes, all these are correct including the "Domain Users" which has the gid of 100 which points to the local "users" group.
That could be part of your problem.
If you use the 'ad' idmap backend on a Unix domain member, all uidNumber
and gidNumber attributes must contain a number inside the DOMAIN range
you set in smb.conf (in your case 1001-116999) and '100' isn't inside
your range. What could be happening here is, the users that are having
problems do not have a gidNumber attribute. They are falling back to the
primary group 'Domain Users', which, for all intents and purposes, does
not have a valid gidNumber. This means that, to the 'DOMAIN' domain,
they do not exist, so they are mapped to the default '*' domain and are
denied access.
Can you please reply to this post, rather than posting a new post, which
is what you appear to be doing, this breaks threads.
Rowland
More information about the samba
mailing list