[Samba] Problem with AD & idmap
l.schimmer at cgv.tugraz.at
Wed Mar 2 13:24:03 UTC 2022
On 02/03/2022 14:11, Rowland Penny via samba wrote:
> On Wed, 2022-03-02 at 13:31 +0100, Lars Schimmer via samba wrote:
>> After cleaning up a domain (remove old Computer and users from the
>> removing smbV1 from the Win2016 servers and getting a new krbtgtkey
>> (with the ms provided PS script), our samb AD bind is somewhat
> Have you tried leaving the domain and then re-joining ?
I did setup a new debian bullyeye system to test different configs.
And just did leave/reboot/join/reboot the domain
>> idmap config * : backend = tdb
>> idmap config * : range = 99000000-99999999
>> #idmap config for the XYZ domain
>> idmap config XYZ:backend = ad
>> #idmap config XYZ:schema_mode = template
>> idmap config XYZ:schema_mode = rfc2307
>> idmap config XYZ:range = 100-98999999
> If the uidNumbers in AD start at '1000', then the low range for 'XYZ'
> should start at '1000'
Ok, but lower should not harm, or?
>> It worked until we did cleanup the domain.
>> Now we miss the users.
>> With wbinfo -u /-g we do see all users and groups.
> wbinfo just shows that the users exist in AD, it doesn't mean that
> winbind will find them and pas this info to the OS.
>> With getent group it shows the groups with a gid added, including
>> With getent passwd it shows the local users and ONLY the members of
>> Administerator group, no other user.
>> (removing the idmap config XYZ:range = 100-98999999 shows more
>> but not all)
> Don't do that, it puts everything into the default domain and they do
> not belong there.
Right. That was just a test. Also the RID idmap backend does work for
all users, but it does not have stable uids over all linux systems :-/
>> All users should be in the uidnumber 1000-9999 range (not all Domain
>> users do have the uidnumber, but the tested ones do have, as they do
>> show up in wbinfo -u).
> Any users that do not have a uidNumber will be ignored.
Good, that was my assumption, but good to have it verified.
>> wbinfo -u does show user schimmer.
>> While trying to resolv the user, we get errors:
>> wbinfo -i schimmer
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user schimmer
>> wbinfo -n schimmer
>> S-1-5-21-606634686-2143625475-3072335171-1502 SID_USER (1)
>> wbinfo -S S-1-5-21-606634686-2143625475-3072335171-1502
>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not convert sid S-1-5-21-606634686-2143625475-3072335171-1502
>> to uid
>> Logfile tells me:
>> idmap_ad_sids_to_unixids: No xid in CN=Lars
>> So, whats the xid here, which is missing?
>> And why does it show the members of the administrator group and not
>> users, which are all (even the adminsitrators) in the Domain Users
>> Anyone have a tip on howto go on to fix this?
> Try re-joining and if this fails, please post your entire smb.conf.
Ok, here it is, basic, simple, did work until cleanup:
security = ADS
workgroup = CGV
realm = CGV.TUGRAZ.AT
dns proxy = no
bind interfaces only = yes
interfaces = lo 18.104.22.168/24
# Default idmap config for local BUILTIN accounts and groups
# Mandatory, but hopefully not used, because the ids must not overlap
idmap config * : backend = tdb
idmap config * : range = 990000-999999
idmap config for the CGV domain
idmap config CGV:backend = ad
idmap config CGV:schema_mode = template
idmap config CGV:range = 1000-989999
winbind nss info = template
template shell = /bin/zsh
template homedir = /home/%U
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
map to guest = bad user
Also just did a test on members:
members "Domain Users"
Admin1 Admin2 Admin3
and no one else. Although we got >50 accounts in that group, not all
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
More information about the samba