[Samba] Problem with AD & idmap

Lars Schimmer l.schimmer at cgv.tugraz.at
Fri Mar 4 10:48:48 UTC 2022

Am 03.03.2022 um 15:30 schrieb Rowland Penny via samba:
> On Thu, 2022-03-03 at 15:17 +0100, Lars Schimmer via samba wrote:
>>>>> The fact that the 'rid' idmap backend works, shows that Samba
>>>>> is
>>>>> working. When you change to the 'ad' backend and it doesn't
>>>>> work,
>>>>> usually means that there is something wrong with the uidNumber
>>>>> &
>>>>> gidNumber attributes in AD.
>>>>> Try running 'testparm -s', this may show errors.
>> Becuase it was described as absolute good practise for security to
>> protect against golden ticket attacks and others in the AD.
>> And it worked well on the (newer) Domain.
> Who described it as absolute good practise ?

At least our security department. Also I did run castleping on our 
domains and it was described as good practise to change that key every year.
Over the end, thats just the Krb5TGTkey, it should not change the way 
users are found, as krb5 should accept the new key, to.
Esp if the client was added to domain AFTER the keychange.

>>> In what respect ?
>>> You should have two domains configured in smb.conf (unless you are
>>> using the autorid idmap backend). The first is the default or '*'
>>> domain, this is used for the 'Well Known SIDs' and anything outside
>>> the
>>> main domain, this only needs to be small, 2000 IDs are more than
>>> enough. The second domain (which uses the workgroup name to
>>> identify
>>> it) is for the users stored in AD. You will have to add the RFC2307
>>> attributes if you use the 'ad' idmap backend. Whichever backend you
>>> use, you need to set a range for it in smb.conf. This range must
>>> cover
>>> all users in AD that you want to be mapped to Unix users, 'rid' and
>>> 'autorid' calculate the Unix ID from the RID, any Unix IDs that are
>>> outside the range set in smb.conf will be ignored. The same goes
>>> for
>>> the 'ad' backen, but in this case, any uidNumber or gidNumber
>>> attributes that are outside the range will be ignored, but Domain
>>> Users
>>> must have a gidNumber set and be inside the range, or all users
>>> will be
>>> ignored.
>> Ok, thats what I guessed, but thats not how it works here now.
> Then something is seriously wrong, if this is on all Unix domain
> members ? if it is, then this points to a problem on the DC, if it is
> just one Unix domain member, then it is probably something wrong with
> that Unix domain member.
> I suggest you download this script:
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
> Run it on the Unix domain member and post the output here.

Yeah, sth is wrong, as the result happens on all work stations.

Script shows no anomalies AFAIK, I needed to install krb5-user to run 
it, never needed that krb5 tools to get the users before. But it does 
not hurt (still some experience duie to OpenAFS config back in the old 

Collected config  --- 2022-03-04-11:40 -----------

Hostname: larsdeb
DNS Domain: cgv.tugraz.at
FQDN: larsdeb.cgv.tugraz.at


Kerberos SRV _kerberos._tcp.cgv.tugraz.at record verified ok, sample 

_kerberos._tcp.cgv.tugraz.at    service = 0 100 88 carme.cgv.tugraz.at.
_kerberos._tcp.cgv.tugraz.at    service = 0 100 88 io.cgv.tugraz.at.
Samba is running as a Unix domain member

        Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION="11 (bullseye)"


This computer is running Debian 11.2 x86_64

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet scope host lo
     inet6 ::1/128 scope host
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
     link/ether 00:50:56:84:83:e8 brd ff:ff:ff:ff:ff:ff
     altname enp11s0
     inet brd scope global ens192
     inet6 fe80::250:56ff:fe84:83e8/64 scope link

        Checking file: /etc/hosts       localhost   larsdeb.cgv.tugraz.at   larsdeb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


        Checking file: /etc/resolv.conf

search cgv.tugraz.at


        Checking file: /etc/krb5.conf

         default_realm = CGV.TUGRAZ.AT

# The following krb5.conf variables are only for MIT Kerberos.
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
         proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
         fcc-mit-ticketflags = true

         CGV.TUGRAZ.AT =  {
                 kdc = carme.cgv.tugraz.at
                 kdc = deimos.cgv.tugraz.at
                 admin_server = carme.cgv.tugraz.at

         ATHENA.MIT.EDU = {
                 kdc = kerberos.mit.edu
                 kdc = kerberos-1.mit.edu
                 kdc = kerberos-2.mit.edu:88
                 admin_server = kerberos.mit.edu
                 default_domain = mit.edu
         ZONE.MIT.EDU = {
                 kdc = casio.mit.edu
                 kdc = seiko.mit.edu
                 admin_server = casio.mit.edu
         CSAIL.MIT.EDU = {
                 admin_server = kerberos.csail.mit.edu
                 default_domain = csail.mit.edu
         IHTFP.ORG = {
                 kdc = kerberos.ihtfp.org
                 admin_server = kerberos.ihtfp.org
         1TS.ORG = {
                 kdc = kerberos.1ts.org
                 admin_server = kerberos.1ts.org
         ANDREW.CMU.EDU = {
                 admin_server = kerberos.andrew.cmu.edu
                 default_domain = andrew.cmu.edu
         CS.CMU.EDU = {
                 kdc = kerberos-1.srv.cs.cmu.edu
                 kdc = kerberos-2.srv.cs.cmu.edu
                 kdc = kerberos-3.srv.cs.cmu.edu
                 admin_server = kerberos.cs.cmu.edu
         DEMENTIA.ORG = {
                 kdc = kerberos.dementix.org
                 kdc = kerberos2.dementix.org
                 admin_server = kerberos.dementix.org
         stanford.edu = {
                 kdc = krb5auth1.stanford.edu
                 kdc = krb5auth2.stanford.edu
                 kdc = krb5auth3.stanford.edu
                 master_kdc = krb5auth1.stanford.edu
                 admin_server = krb5-admin.stanford.edu
                 default_domain = stanford.edu
         UTORONTO.CA = {
                 kdc = kerberos1.utoronto.ca
                 kdc = kerberos2.utoronto.ca
                 kdc = kerberos3.utoronto.ca
                 admin_server = kerberos1.utoronto.ca
                 default_domain = utoronto.ca

         .cgv.tugraz.at = CGV.TUGRAZ.AT
         .mit.edu = ATHENA.MIT.EDU
         mit.edu = ATHENA.MIT.EDU
         .media.mit.edu = MEDIA-LAB.MIT.EDU
         media.mit.edu = MEDIA-LAB.MIT.EDU
         .csail.mit.edu = CSAIL.MIT.EDU
         csail.mit.edu = CSAIL.MIT.EDU
         .whoi.edu = ATHENA.MIT.EDU
         whoi.edu = ATHENA.MIT.EDU
         .stanford.edu = stanford.edu
         .slac.stanford.edu = SLAC.STANFORD.EDU
         .toronto.edu = UTORONTO.CA
         .utoronto.ca = UTORONTO.CA


        Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind
group:          files winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:          files winbind


        Checking file: /etc/samba/smb.conf

#======================= Global Settings =======================
   security = ADS
   workgroup = CGV
   realm = CGV.TUGRAZ.AT
   min protocol = SMB2
   dns proxy = no
   bind interfaces only = yes
   interfaces = lo
   # Default idmap config for local BUILTIN accounts and groups
   # Mandatory, but hopefully not used, because the ids must not overlap
   idmap config * : backend = tdb
   idmap config * : range = 2000000-3000000
   #idmap config for the CGV domain
   idmap config CGV:backend = ad
   idmap config CGV:schema_mode = template
   #idmap config CGV:schema_mode = rfc2307
   # We have the Users group with id 100 - so we neet to start at 100.
   # Probably a really bad idea, but at the moment we have no other choice
   idmap config CGV:range = 300-1999999
   idmap config CGV:unix_primary_group = yes
   idmap config CGV:unix_nss_info = yes
   #winbind nss info = template
   template shell = /bin/zsh
   template homedir = /home/%U
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   map to guest = bad user
   #syslog only = yes
   panic action = /usr/share/samba/panic-action %d
   log file = /var/log/samba/%m.log
   log level = 10


Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
     Warning, /etc/idmapd.conf does not exist


Installed packages:
ii  attr                           1:2.4.48-6                     amd64 
        utilities for manipulating filesystem extended attributes
ii  krb5-config                    2.6+nmu1                       all 
        Configuration files for Kerberos Version 5
ii  krb5-locales                   1.18.3-6+deb11u1               all 
        internationalization support for MIT Kerberos
ii  krb5-user                      1.18.3-6+deb11u1               amd64 
        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                  2.2.53-10                      amd64 
        access control list - shared library
ii  libattr1:amd64                 1:2.4.48-6                     amd64 
        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64         1.18.3-6+deb11u1               amd64 
        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                1.18.3-6+deb11u1               amd64 
        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64          1.18.3-6+deb11u1               amd64 
        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64           2:4.13.13+dfsg-1~deb11u3       amd64 
        Samba nameservice integration plugins
ii  libpam-winbind:amd64           2:4.13.13+dfsg-1~deb11u3       amd64 
        Windows domain authentication integration plugin
ii  libwbclient0:amd64             2:4.13.13+dfsg-1~deb11u3       amd64 
        Samba winbind client library
ii  python3-samba                  2:4.13.13+dfsg-1~deb11u3       amd64 
        Python 3 bindings for Samba
ii  samba                          2:4.13.13+dfsg-1~deb11u3       amd64 
        SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.13.13+dfsg-1~deb11u3       all 
        common files used by both the Samba server and client
ii  samba-common-bin               2:4.13.13+dfsg-1~deb11u3       amd64 
        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.13.13+dfsg-1~deb11u3       amd64 
        Samba Directory Services Database
ii  samba-libs:amd64               2:4.13.13+dfsg-1~deb11u3       amd64 
        Samba core libraries
ii  samba-vfs-modules:amd64        2:4.13.13+dfsg-1~deb11u3       amd64 
        Samba Virtual FileSystem plugins
ii  winbind                        2:4.13.13+dfsg-1~deb11u3       amd64 
        service to resolve user and group information from Windows NT 


> Rowland

Lars Schimmer
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723

More information about the samba mailing list