[Samba] Problem with AD & idmap
Rowland Penny
rpenny at samba.org
Thu Mar 3 14:30:16 UTC 2022
On Thu, 2022-03-03 at 15:17 +0100, Lars Schimmer via samba wrote:
>
>
> > > > The fact that the 'rid' idmap backend works, shows that Samba
> > > > is
> > > > working. When you change to the 'ad' backend and it doesn't
> > > > work,
> > > > usually means that there is something wrong with the uidNumber
> > > > &
> > > > gidNumber attributes in AD.
> > > > Try running 'testparm -s', this may show errors.
> > >
> > >
> Becuase it was described as absolute good practise for security to
> protect against golden ticket attacks and others in the AD.
> And it worked well on the (newer) Domain.
Who described it as absolute good practise ?
>
> > >
> > >
> > In what respect ?
> > You should have two domains configured in smb.conf (unless you are
> > using the autorid idmap backend). The first is the default or '*'
> > domain, this is used for the 'Well Known SIDs' and anything outside
> > the
> > main domain, this only needs to be small, 2000 IDs are more than
> > enough. The second domain (which uses the workgroup name to
> > identify
> > it) is for the users stored in AD. You will have to add the RFC2307
> > attributes if you use the 'ad' idmap backend. Whichever backend you
> > use, you need to set a range for it in smb.conf. This range must
> > cover
> > all users in AD that you want to be mapped to Unix users, 'rid' and
> > 'autorid' calculate the Unix ID from the RID, any Unix IDs that are
> > outside the range set in smb.conf will be ignored. The same goes
> > for
> > the 'ad' backen, but in this case, any uidNumber or gidNumber
> > attributes that are outside the range will be ignored, but Domain
> > Users
> > must have a gidNumber set and be inside the range, or all users
> > will be
> > ignored.
>
> Ok, thats what I guessed, but thats not how it works here now.
Then something is seriously wrong, if this is on all Unix domain
members ? if it is, then this points to a problem on the DC, if it is
just one Unix domain member, then it is probably something wrong with
that Unix domain member.
I suggest you download this script:
https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
Run it on the Unix domain member and post the output here.
Rowland
More information about the samba
mailing list