[Samba] Problem with AD & idmap
Lars Schimmer
l.schimmer at cgv.tugraz.at
Thu Mar 3 14:17:40 UTC 2022
Am 03.03.2022 um 13:31 schrieb Rowland Penny via samba:
> On Thu, 2022-03-03 at 12:05 +0100, Lars Schimmer via samba wrote:
>>>>>
>>> Have you actually looked in AD, does Domain Users have a gidNumber
>>> attribute ? Do your users have the primaryGroupID attribute set to
>>> '513' ? Do the relevant users have a uidNumber attribute ?
>>
>> Why 513?
>
> Because that is the RID for Domain Users and all AD users are members
> of Domain Users because of it, even though they are never shown as a
> member anywhere in AD.
>
>> The Doamin Users Group does have a seperate gid and thats the
>> primary
>> group for all users, which all users do have set as gid.
>
> There is absolutely no reason to do that, because of what I explained
> above, all AD users are members of Domain Users without a gidNumber
> attribute.
Hm, ok. Another point to take and check.
>>> The fact that the 'rid' idmap backend works, shows that Samba is
>>> working. When you change to the 'ad' backend and it doesn't work,
>>> usually means that there is something wrong with the uidNumber &
>>> gidNumber attributes in AD.
>>> Try running 'testparm -s', this may show errors.
>>
>> Yeah, thats the strange part.It did work with the AD config until we
>> did
>> clean up (remove accounts), disable SMBv1 and chanbge KrbTGTKLey.
>
> Why did you change the key ? I never change the key and have never had
> any problems. I think that changing the key manually should only be an
> act of last desperation.
Becuase it was described as absolute good practise for security to
protect against golden ticket attacks and others in the AD.
And it worked well on the (newer) Domain.
>> So we did not change any UID oder GID.
>> And even if, as I did read the above thread correct, a UID and GID
>> in
>> range for any user should be enough to work, but it does not for any
>> user, except the admins.
>> And thats strange.
>
> Very strange and something that has never happened to myself.
Yeah.
>> testparm -s shows like smbconf. correct network, smbv2 protocol,
>> idmap
>> ranges as expected.
>>
>> Do we need seperate user/group ranges in samba config?
>
> In what respect ?
> You should have two domains configured in smb.conf (unless you are
> using the autorid idmap backend). The first is the default or '*'
> domain, this is used for the 'Well Known SIDs' and anything outside the
> main domain, this only needs to be small, 2000 IDs are more than
> enough. The second domain (which uses the workgroup name to identify
> it) is for the users stored in AD. You will have to add the RFC2307
> attributes if you use the 'ad' idmap backend. Whichever backend you
> use, you need to set a range for it in smb.conf. This range must cover
> all users in AD that you want to be mapped to Unix users, 'rid' and
> 'autorid' calculate the Unix ID from the RID, any Unix IDs that are
> outside the range set in smb.conf will be ignored. The same goes for
> the 'ad' backen, but in this case, any uidNumber or gidNumber
> attributes that are outside the range will be ignored, but Domain Users
> must have a gidNumber set and be inside the range, or all users will be
> ignored.
Ok, thats what I guessed, but thats not how it works here now. Thanks
for the clarification.
> Rowland
>
>
>
MfG,
Lars Schimmer
--
-------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
More information about the samba
mailing list