[Samba] Problem with AD & idmap
L. van Belle
belle at samba.org
Thu Mar 3 13:22:10 UTC 2022
And.. Small side note, this is different per distro.
cat /etc/adduser.conf |grep UID
# FIRST_SYSTEM_[GU]ID to LAST_SYSTEM_[GU]ID inclusive is the range for UIDs
# package, may assume that UIDs less than 100 are unallocated.
# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically
So, based on that, (*a Debian Buster server)..
Try to avoid these system ranges or at least think about these..
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: donderdag 3 maart 2022 13:31
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem with AD & idmap
> On Thu, 2022-03-03 at 12:05 +0100, Lars Schimmer via samba wrote:
> > > > >
> > > Have you actually looked in AD, does Domain Users have a gidNumber
> > > attribute ? Do your users have the primaryGroupID attribute set to
> > > '513' ? Do the relevant users have a uidNumber attribute ?
> > Why 513?
> Because that is the RID for Domain Users and all AD users are members
> of Domain Users because of it, even though they are never shown as a
> member anywhere in AD.
> > The Doamin Users Group does have a seperate gid and thats the
> > primary
> > group for all users, which all users do have set as gid.
> There is absolutely no reason to do that, because of what I explained
> above, all AD users are members of Domain Users without a gidNumber
> > > The fact that the 'rid' idmap backend works, shows that Samba is
> > > working. When you change to the 'ad' backend and it doesn't work,
> > > usually means that there is something wrong with the uidNumber &
> > > gidNumber attributes in AD.
> > > Try running 'testparm -s', this may show errors.
> > Yeah, thats the strange part.It did work with the AD config until we
> > did
> > clean up (remove accounts), disable SMBv1 and chanbge KrbTGTKLey.
> Why did you change the key ? I never change the key and have never had
> any problems. I think that changing the key manually should only be an
> act of last desperation.
> > So we did not change any UID oder GID.
> > And even if, as I did read the above thread correct, a UID and GID
> > in
> > range for any user should be enough to work, but it does
> not for any
> > user, except the admins.
> > And thats strange.
> Very strange and something that has never happened to myself.
> > testparm -s shows like smbconf. correct network, smbv2 protocol,
> > idmap
> > ranges as expected.
> > Do we need seperate user/group ranges in samba config?
> In what respect ?
> You should have two domains configured in smb.conf (unless you are
> using the autorid idmap backend). The first is the default or '*'
> domain, this is used for the 'Well Known SIDs' and anything
> outside the
> main domain, this only needs to be small, 2000 IDs are more than
> enough. The second domain (which uses the workgroup name to identify
> it) is for the users stored in AD. You will have to add the RFC2307
> attributes if you use the 'ad' idmap backend. Whichever backend you
> use, you need to set a range for it in smb.conf. This range must cover
> all users in AD that you want to be mapped to Unix users, 'rid' and
> 'autorid' calculate the Unix ID from the RID, any Unix IDs that are
> outside the range set in smb.conf will be ignored. The same goes for
> the 'ad' backen, but in this case, any uidNumber or gidNumber
> attributes that are outside the range will be ignored, but
> Domain Users
> must have a gidNumber set and be inside the range, or all
> users will be
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba