[Samba] Problem with AD & idmap

Rowland Penny rpenny at samba.org
Thu Mar 3 12:31:14 UTC 2022 

On Thu, 2022-03-03 at 12:05 +0100, Lars Schimmer via samba wrote:
> > > > 
> > Have you actually looked in AD, does Domain Users have a gidNumber
> > attribute ? Do your users have the primaryGroupID attribute set to
> > '513' ? Do the relevant users have a uidNumber attribute ?
> 
> Why 513?

Because that is the RID for Domain Users and all AD users are members
of Domain Users because of it, even though they are never shown as a
member anywhere in AD.

> The Doamin Users Group does have a seperate gid and thats the
> primary 
> group for all users, which all users do have set as gid.

There is absolutely no reason to do that, because of what I explained
above, all AD users are members of Domain Users without a gidNumber
attribute.

> 
> > The fact that the 'rid' idmap backend works, shows that Samba is
> > working. When you change to the 'ad' backend and it doesn't work,
> > usually means that there is something wrong with the uidNumber &
> > gidNumber attributes in AD.
> > Try running 'testparm -s', this may show errors.
> 
> Yeah, thats the strange part.It did work with the AD config until we
> did 
> clean up (remove accounts), disable SMBv1 and chanbge KrbTGTKLey.

Why did you change the key ? I never change the key and have never had
any problems. I think that changing the key manually should only be an
act of last desperation.

> So we did not change any UID oder GID.
> And even if, as I did read the above thread correct, a UID and GID
> in 
> range for any user should be enough to work, but it does not for any 
> user, except the admins.
> And thats strange.

Very strange and something that has never happened to myself.

> 
> testparm -s shows like smbconf. correct network, smbv2 protocol,
> idmap 
> ranges as expected.
> 
> Do we need seperate user/group ranges in samba config?

In what respect ?
You should have two domains configured in smb.conf (unless you are
using the autorid idmap backend). The first is the default or '*'
domain, this is used for the 'Well Known SIDs' and anything outside the
main domain, this only needs to be small, 2000 IDs are more than
enough. The second domain (which uses the workgroup name to identify
it) is for the users stored in AD. You will have to add the RFC2307
attributes if you use the 'ad' idmap backend. Whichever backend you
use, you need to set a range for it in smb.conf. This range must cover
all users in AD that you want to be mapped to Unix users, 'rid' and
'autorid' calculate the Unix ID from the RID, any Unix IDs that are
outside the range set in smb.conf will be ignored. The same goes for
the 'ad' backen, but in this case, any uidNumber or gidNumber
attributes that are outside the range will be ignored, but Domain Users
must have a gidNumber set and be inside the range, or all users will be
ignored.
 
Rowland

More information about the samba mailing list