[Samba] Problem with AD & idmap

Lars Schimmer l.schimmer at cgv.tugraz.at
Fri Mar 4 12:30:29 UTC 2022

Am 04.03.2022 um 12:39 schrieb Rowland Penny via samba:
> On Fri, 2022-03-04 at 11:48 +0100, Lars Schimmer via samba wrote:
>> At least our security department. Also I did run castleping on our
>> domains and it was described as good practise to change that key
>> every year.
>> Over the end, thats just the Krb5TGTkey, it should not change the
>> way
>> users are found, as krb5 should accept the new key, to.
>> Esp if the client was added to domain AFTER the keychange.
> So, just because one entity said to change the key, you did, words fail
> me. Samba provides a script to change the script, but you decided to
> change it from Windows.

If the department, which is responsible for >20k people and >200 domains 
telling me, it is a good choice, yeah, I do that.
If I do run a Win domain with mostly windows systems and just a few 
linux systems, I do it with windows.
Also it did worked on a  different domain, with nearly the same config 
for debian systems.

>>     # Probably a really bad idea, but at the moment we have no other
>> choice
> Why are you using 'users' a Unix group, what is wrong with Domain Users
> ?

Thats js a old comment, not the real group anymore.
Also the test system is bare debian bullseye, with smaba installed. No 
group added. The users group with id 100 is set bye debian on 
installation, we do not change it, neither add any users to it.

>>     idmap config CGV:range = 300-1999999
>>     idmap config CGV:unix_primary_group = yes
> If every users gidNumber is '100', then there is no point to the above
> line.

No, it ist 10100. As the gid of Domain users is 10100.
And the PrimaryGroupID is 513.

>>     idmap config CGV:unix_nss_info = yes
>>     #winbind nss info = template
>>     template shell = /bin/zsh
> Is there some reason to use the 'Z' shell shell ?

It is a nice shell and users do like it. But nothing which should be a 
problem, as it worked well, and still works fine with RID backend.

>>     template homedir = /home/%U
>>     winbind enum users = yes
>>     winbind enum groups = yes
> I would suggest you remove the two lines above, you do not need them.

Removed both lines and gentent passwd dows not show any AD user anymore. 
With both added, it shows at least the admins.
But wbinfo -n shows the S-1-5-21... string for any user, opn wbinfo -S 
it resoloves the admins to the uid, but not the usual users:
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

Interesting to see a Domain not found error.

>>     winbind use default domain = yes
>>     map to guest = bad user
>>     #syslog only = yes
>>     panic action = /usr/share/samba/panic-action %d
>>     log file = /var/log/samba/%m.log
>>     log level = 10
>> -----------
>> Installed packages:
>> ii  attr                           1:2.4.48-
>> 6                     amd64
>>          utilities for manipulating filesystem extended attributes
> You do not seem to have the 'acl' package installed.

Looks like, I jist installed bullseye from netinst and installed the 
bare needed packages to test.

> Rowland

Lars Schimmer
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723

More information about the samba mailing list