[Samba] Read RFC2307 attributes from trusted ActiveDirectory domain

Robbie Cook robbiecookie101 at gmail.com
Wed May 4 21:22:16 UTC 2022 

Dear all,



I am having problems reading RFC2307 attributes from a trusted domain.



My setup looks like this.



The client machine where I’mtesting from resides in Domain A.

Domain A contains several users all set with uidnumber & gidnumber

Domain A trusts Domain B

Domain B contains users set with uidnumber & gidnumber



So far I have successfully managed to map the user accounts from Domain A
and they show up with the correct uid/gid values set within ActiveDirectory
whenever I run a getent passwd. However, for the life of me I cannot get
users from Domain B to return the correct uid/gid. They do not show using
getent passwd so I’m using ‘id first.name at domainb.local’ to test.



The closest I have managed to get is to use the rfc2307 backend with the
ldap server set to stand-alone. Using this backend I see the correct UID
within the /var/log/samba/log.winbindd-idmap logfile however, the
primary_gid is always a null value and it looks like it tries to use
‘domain users’ group to calculate the gid even though the users I’m testing
with have been set with a different primary group ID in active directory.
This results in this line being present in the same logfile
_wbint_Sids2UnixIDs: id 0 is out of range 50001-1410065407 for domain
domain and no user being found when running ‘id
firstname.lastname at domainb.local’



Here's my current smb.conf file with sensitive information removed.





[global]

log level = 10

log file = /var/log/samba/idmap.log



idmap config * : backend = tdb

idmap config * : range = 1000-4999





idmap config domainA : backend = ad

idmap config domainA : range = 5000-8000

idmap config domainA : unix_primary_group = yes





idmap config domainb : backend = rfc2307

idmap config domainb: range = 50001-9999999999

idmap config domainb: ldap_server = stand-alone

idmap config domainb : ldap_url = ldap://10.x.x.x/

idmap config prd : ldap_user_dn =
CN=idmap,OU=STANDARD_ACCOUNTS,DC=domainb,DC=local

idmap config prd : bind_path_user = OU=STANDARD_ACCOUNTS,DC=domainb,DC=local

idmap config prd : bind_path_group =
OU=UNIVERSAL_SECURITY_GROUPS,DC=domainb,DC=local





winbind refresh tickets = yes

kerberos method = secrets and keytab

winbind enum groups = no

winbind enum users = yes

workgroup = domaina

security = ads



        passdb backend = tdbsam



        printing = cups

        printcap name = cups

        load printers = yes

        cups options = raw

template homedir = /home/%U

template shell = /bin/bash

realm = DOMAINA.LOCAL

winbind use default domain = yes

winbind offline logon = yes







What I find most interesting is that I can read all of the correct
information when running the ldapsearch command for the same user so I’m
hopeful something is wrong in my config file.



Any hints/guidance would be much appreciated!



Many thanks

Robbie Cook

More information about the samba mailing list