[Samba] Problem with AD & idmap

Lars Schimmer l.schimmer at cgv.tugraz.at
Wed Mar 2 13:24:03 UTC 2022

On 02/03/2022 14:11, Rowland Penny via samba wrote:
> On Wed, 2022-03-02 at 13:31 +0100, Lars Schimmer via samba wrote:
>> Hi
>> After cleaning up a domain (remove old Computer and users from the
>> AD),
>> removing smbV1 from the Win2016 servers and getting a new krbtgtkey
>> (with the ms provided PS script), our samb AD bind is somewhat
>> broken.
> Have you tried leaving the domain and then re-joining ?

I did setup a new debian bullyeye system to test different configs.
And just did leave/reboot/join/reboot the domain

>>   idmap config * : backend = tdb
>>   idmap config * : range = 99000000-99999999
>>   #idmap config for the XYZ domain
>>   idmap config XYZ:backend = ad
>>   #idmap config XYZ:schema_mode = template
>>   idmap config XYZ:schema_mode = rfc2307
>>   idmap config XYZ:range = 100-98999999
> If the uidNumbers in AD start at '1000', then the low range for 'XYZ'
> should start at '1000'

Ok, but lower should not harm, or?

>> It worked until we did cleanup the domain.
>> Now we miss the users.
>> With wbinfo -u /-g we do see all users and groups.
> wbinfo just shows that the users exist in AD, it doesn't mean that
> winbind will find them and pas this info to the OS.

Ok, thx.

>> With getent group it shows the groups with a gid added, including
>> Domain
>> Users.
>> With getent passwd it shows the local users and ONLY the members of
>> the
>> Administerator group, no other user.
>> (removing the  idmap config XYZ:range = 100-98999999 shows more
>> users,
>> but not all)
> Don't do that, it puts everything into the default domain and they do
> not belong there.

Right. That was just a test. Also the RID idmap backend does work for
all users, but it does not have stable uids over all linux systems :-/

>> All users should be in the uidnumber 1000-9999 range (not all Domain
>> users do have the uidnumber, but the tested ones do have, as they do
>> show up in wbinfo -u).
> Any users that do not have a uidNumber will be ignored.

Good, that was my assumption, but good to have it verified.

>> wbinfo -u does show user schimmer.
>> While trying to resolv the user, we get errors:
>> wbinfo -i schimmer
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user schimmer
>> wbinfo -n schimmer
>> S-1-5-21-606634686-2143625475-3072335171-1502 SID_USER (1)
>> wbinfo -S S-1-5-21-606634686-2143625475-3072335171-1502
>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not convert sid S-1-5-21-606634686-2143625475-3072335171-1502
>> to uid
>> Logfile tells me:
>> idmap_ad_sids_to_unixids: No xid in CN=Lars
>> Schimmer,DC=cgv,DC=tugraz,DC=at
>> So, whats the xid here, which is missing?
>> And why does it show the members of the administrator group and not
>> all
>> users, which are all (even the adminsitrators) in the Domain Users
>> group?
>> Anyone have a tip on howto go on to fix this?
> Try re-joining and if this fails, please post your entire smb.conf.

Ok, here it is, basic, simple, did work until cleanup:

   security = ADS
   workgroup = CGV
   realm = CGV.TUGRAZ.AT
   dns proxy = no

   bind interfaces only = yes
   interfaces = lo

   # Default idmap config for local BUILTIN accounts and groups
   # Mandatory, but hopefully not used, because the ids must not overlap
   idmap config * : backend = tdb
   idmap config * : range = 990000-999999

   idmap config for the CGV domain
   idmap config CGV:backend = ad
   idmap config CGV:schema_mode = template
   idmap config CGV:range = 1000-989999

   winbind nss info = template
   template shell = /bin/zsh
   template homedir = /home/%U

   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes

   map to guest = bad user

Also just did a test on members:

members "Domain Users"
Admin1 Admin2 Admin3

and no one else. Although we got >50 accounts in that group, not all
with gid.

Thank you.

> Rowland

Lars Schimmer
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723

More information about the samba mailing list