[Samba] Read RFC2307 attributes from trusted ActiveDirectory domain
Robbie Cook
robbiecookie101 at gmail.com
Wed May 4 21:22:16 UTC 2022
Dear all,
I am having problems reading RFC2307 attributes from a trusted domain.
My setup looks like this.
The client machine where I’mtesting from resides in Domain A.
Domain A contains several users all set with uidnumber & gidnumber
Domain A trusts Domain B
Domain B contains users set with uidnumber & gidnumber
So far I have successfully managed to map the user accounts from Domain A
and they show up with the correct uid/gid values set within ActiveDirectory
whenever I run a getent passwd. However, for the life of me I cannot get
users from Domain B to return the correct uid/gid. They do not show using
getent passwd so I’m using ‘id first.name at domainb.local’ to test.
The closest I have managed to get is to use the rfc2307 backend with the
ldap server set to stand-alone. Using this backend I see the correct UID
within the /var/log/samba/log.winbindd-idmap logfile however, the
primary_gid is always a null value and it looks like it tries to use
‘domain users’ group to calculate the gid even though the users I’m testing
with have been set with a different primary group ID in active directory.
This results in this line being present in the same logfile
_wbint_Sids2UnixIDs: id 0 is out of range 50001-1410065407 for domain
domain and no user being found when running ‘id
firstname.lastname at domainb.local’
Here's my current smb.conf file with sensitive information removed.
[global]
log level = 10
log file = /var/log/samba/idmap.log
idmap config * : backend = tdb
idmap config * : range = 1000-4999
idmap config domainA : backend = ad
idmap config domainA : range = 5000-8000
idmap config domainA : unix_primary_group = yes
idmap config domainb : backend = rfc2307
idmap config domainb: range = 50001-9999999999
idmap config domainb: ldap_server = stand-alone
idmap config domainb : ldap_url = ldap://10.x.x.x/
idmap config prd : ldap_user_dn =
CN=idmap,OU=STANDARD_ACCOUNTS,DC=domainb,DC=local
idmap config prd : bind_path_user = OU=STANDARD_ACCOUNTS,DC=domainb,DC=local
idmap config prd : bind_path_group =
OU=UNIVERSAL_SECURITY_GROUPS,DC=domainb,DC=local
winbind refresh tickets = yes
kerberos method = secrets and keytab
winbind enum groups = no
winbind enum users = yes
workgroup = domaina
security = ads
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
template homedir = /home/%U
template shell = /bin/bash
realm = DOMAINA.LOCAL
winbind use default domain = yes
winbind offline logon = yes
What I find most interesting is that I can read all of the correct
information when running the ldapsearch command for the same user so I’m
hopeful something is wrong in my config file.
Any hints/guidance would be much appreciated!
Many thanks
Robbie Cook
More information about the samba
mailing list