[Samba] Problem with AD & idmap

Lars Schimmer l.schimmer at cgv.tugraz.at
Wed Mar 2 12:31:08 UTC 2022


After cleaning up a domain (remove old Computer and users from the AD),
removing smbV1 from the Win2016 servers and getting a new krbtgtkey
(with the ms provided PS script), our samb AD bind is somewhat broken.

In short:
Using Win 2016 server (2 AD server) for one domain, Debian bullseye as
clients (samba version 4.13.13+dfsg-1~deb11u3) and a smb conf like:

  idmap config * : backend = tdb
  idmap config * : range = 99000000-99999999
  #idmap config for the XYZ domain
  idmap config XYZ:backend = ad
  #idmap config XYZ:schema_mode = template
  idmap config XYZ:schema_mode = rfc2307
  idmap config XYZ:range = 100-98999999
  idmap config XYZ:unix_primary_group = yes
  idmap config XYZ:unix_nss_info = yes

It worked until we did cleanup the domain.
Now we miss the users.
With wbinfo -u /-g we do see all users and groups.
With getent group it shows the groups with a gid added, including Domain
With getent passwd it shows the local users and ONLY the members of the
Administerator group, no other user.

(removing the  idmap config XYZ:range = 100-98999999 shows more users,
but not all)

All users should be in the uidnumber 1000-9999 range (not all Domain
users do have the uidnumber, but the tested ones do have, as they do
show up in wbinfo -u).

wbinfo -u does show user schimmer.

While trying to resolv the user, we get errors:
wbinfo -i schimmer
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user schimmer

wbinfo -n schimmer

S-1-5-21-606634686-2143625475-3072335171-1502 SID_USER (1)

wbinfo -S S-1-5-21-606634686-2143625475-3072335171-1502
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-606634686-2143625475-3072335171-1502 to uid

Logfile tells me:
idmap_ad_sids_to_unixids: No xid in CN=Lars Schimmer,DC=cgv,DC=tugraz,DC=at

So, whats the xid here, which is missing?

And why does it show the members of the administrator group and not all
users, which are all (even the adminsitrators) in the Domain Users group?

Anyone have a tip on howto go on to fix this?

Thank you.

Lars Schimmer
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723

More information about the samba mailing list