[Samba] Read RFC2307 attributes from trusted ActiveDirectory domain

Robbie Cook robbiecookie101 at gmail.com
Wed May 4 21:22:16 UTC 2022

Dear all,

I am having problems reading RFC2307 attributes from a trusted domain.

My setup looks like this.

The client machine where I’mtesting from resides in Domain A.

Domain A contains several users all set with uidnumber & gidnumber

Domain A trusts Domain B

Domain B contains users set with uidnumber & gidnumber

So far I have successfully managed to map the user accounts from Domain A
and they show up with the correct uid/gid values set within ActiveDirectory
whenever I run a getent passwd. However, for the life of me I cannot get
users from Domain B to return the correct uid/gid. They do not show using
getent passwd so I’m using ‘id first.name at domainb.local’ to test.

The closest I have managed to get is to use the rfc2307 backend with the
ldap server set to stand-alone. Using this backend I see the correct UID
within the /var/log/samba/log.winbindd-idmap logfile however, the
primary_gid is always a null value and it looks like it tries to use
‘domain users’ group to calculate the gid even though the users I’m testing
with have been set with a different primary group ID in active directory.
This results in this line being present in the same logfile
_wbint_Sids2UnixIDs: id 0 is out of range 50001-1410065407 for domain
domain and no user being found when running ‘id
firstname.lastname at domainb.local’

Here's my current smb.conf file with sensitive information removed.


log level = 10

log file = /var/log/samba/idmap.log

idmap config * : backend = tdb

idmap config * : range = 1000-4999

idmap config domainA : backend = ad

idmap config domainA : range = 5000-8000

idmap config domainA : unix_primary_group = yes

idmap config domainb : backend = rfc2307

idmap config domainb: range = 50001-9999999999

idmap config domainb: ldap_server = stand-alone

idmap config domainb : ldap_url = ldap://10.x.x.x/

idmap config prd : ldap_user_dn =

idmap config prd : bind_path_user = OU=STANDARD_ACCOUNTS,DC=domainb,DC=local

idmap config prd : bind_path_group =

winbind refresh tickets = yes

kerberos method = secrets and keytab

winbind enum groups = no

winbind enum users = yes

workgroup = domaina

security = ads

        passdb backend = tdbsam

        printing = cups

        printcap name = cups

        load printers = yes

        cups options = raw

template homedir = /home/%U

template shell = /bin/bash


winbind use default domain = yes

winbind offline logon = yes

What I find most interesting is that I can read all of the correct
information when running the ldapsearch command for the same user so I’m
hopeful something is wrong in my config file.

Any hints/guidance would be much appreciated!

Many thanks

Robbie Cook

More information about the samba mailing list