[Samba] Problem with AD & idmap

Rowland Penny rpenny at samba.org
Fri Mar 4 11:39:45 UTC 2022


On Fri, 2022-03-04 at 11:48 +0100, Lars Schimmer via samba wrote:
> 
> 
> At least our security department. Also I did run castleping on our 
> domains and it was described as good practise to change that key
> every year.
> Over the end, thats just the Krb5TGTkey, it should not change the
> way 
> users are found, as krb5 should accept the new key, to.
> Esp if the client was added to domain AFTER the keychange.

So, just because one entity said to change the key, you did, words fail
me. Samba provides a script to change the script, but you decided to
change it from Windows.

> 
> 
> 
> 
> 
> 
>         Checking file: /etc/samba/smb.conf
> 
> #======================= Global Settings =======================
> [global]
>    security = ADS
>    workgroup = CGV
>    realm = CGV.TUGRAZ.AT
>    min protocol = SMB2

You do not require the above line, it is the default now.

>    dns proxy = no
>    bind interfaces only = yes
>    interfaces = lo 129.27.218.0/24
>    # Default idmap config for local BUILTIN accounts and groups
>    # Mandatory, but hopefully not used, because the ids must not
> overlap
>    idmap config * : backend = tdb
>    idmap config * : range = 2000000-3000000
>    #idmap config for the CGV domain
>    idmap config CGV:backend = ad
>    idmap config CGV:schema_mode = template
>    #idmap config CGV:schema_mode = rfc2307
>    # We have the Users group with id 100 - so we neet to start at
> 100.
>    # Probably a really bad idea, but at the moment we have no other
> choice

Why are you using 'users' a Unix group, what is wrong with Domain Users
?

>    idmap config CGV:range = 300-1999999
>    idmap config CGV:unix_primary_group = yes

If every users gidNumber is '100', then there is no point to the above
line.

>    idmap config CGV:unix_nss_info = yes
>    #winbind nss info = template
>    template shell = /bin/zsh

Is there some reason to use the 'Z' shell shell ?

>    template homedir = /home/%U
>    winbind enum users = yes
>    winbind enum groups = yes

I would suggest you remove the two lines above, you do not need them.
 
>    winbind use default domain = yes
>    map to guest = bad user
>    #syslog only = yes
>    panic action = /usr/share/samba/panic-action %d
>    log file = /var/log/samba/%m.log
>    log level = 10
> 
> -----------
> 
> 
> Installed packages:
> ii  attr                           1:2.4.48-
> 6                     amd64 
>         utilities for manipulating filesystem extended attributes

You do not seem to have the 'acl' package installed.

Rowland





More information about the samba mailing list