[Samba] Problem with AD & idmap

Rowland Penny rpenny at samba.org
Wed Mar 2 13:44:16 UTC 2022 

On Wed, 2022-03-02 at 14:24 +0100, Lars Schimmer via samba wrote:
> > 
> 
> I did setup a new debian bullyeye system to test different configs.
> And just did leave/reboot/join/reboot the domain
> 
> 
> > >   idmap config * : backend = tdb
> > >   idmap config * : range = 99000000-99999999
> > >   #idmap config for the XYZ domain
> > >   idmap config XYZ:backend = ad
> > >   #idmap config XYZ:schema_mode = template
> > >   idmap config XYZ:schema_mode = rfc2307
> > >   idmap config XYZ:range = 100-98999999
> > > 
> > 
> > If the uidNumbers in AD start at '1000', then the low range for
> > 'XYZ'
> > should start at '1000'
> 
> Ok, but lower should not harm, or?

Probably will have no effect, but best practise is start the DOMAIN low
range at the lowest uidNumber.

> 
> 

Right. That was just a test. Also the RID idmap backend does work for
> all users, but it does not have stable uids over all linux systems :-
> /

That shows that the domain is working, so it has to be a problem with
your 'ad' setup

> 
> > > 

[global]
   security = ADS
   workgroup = CGV
   realm = CGV.TUGRAZ.AT
   dns proxy = no

   bind interfaces only = yes
   interfaces = lo 129.27.218.0/24

   # Default idmap config for local BUILTIN accounts and groups
   # Mandatory, but hopefully not used, because the ids must not
> overlap
   idmap config * : backend = tdb
   idmap config * : range = 990000-999999

   idmap config for the CGV domain
   idmap config CGV:backend = ad
   idmap config CGV:schema_mode = template
   idmap config CGV:range = 1000-989999

   winbind nss info = template
   template shell = /bin/zsh
   template homedir = /home/%U

   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes

   map to guest = bad user

Also just did a test on members:

members "Domain Users"
Admin1 Admin2 Admin3

and no one else. Although we got >50 accounts in that group, not all
> with gid.

Again, that will only show users that have a uidNumber attribute
containing a number inside the '1000-989999' range you set in smb.conf
AND Domain Users must have a gidNumber inside the same range.

Rowland

More information about the samba mailing list