[Samba] Read RFC2307 attributes from trusted ActiveDirectory domain

Fri May 6 10:18:08 UTC 2022

On Wed, 2022-05-04 at 22:22 +0100, Robbie Cook via samba wrote:
> Dear all,
> 
> 
> 
> I am having problems reading RFC2307 attributes from a trusted
> domain.
> 
> 
> 
> My setup looks like this.
> 
> 
> 
> The client machine where I’mtesting from resides in Domain A.
> 
> Domain A contains several users all set with uidnumber & gidnumber
> 
> Domain A trusts Domain B
> 
> Domain B contains users set with uidnumber & gidnumber
> 
> 
> 
> So far I have successfully managed to map the user accounts from
> Domain A
> and they show up with the correct uid/gid values set within
> ActiveDirectory
> whenever I run a getent passwd. However, for the life of me I cannot
> get
> users from Domain B to return the correct uid/gid. They do not show
> using
> getent passwd so I’m using ‘id first.name at domainb.local’ to test.
> 
> 
> 
> The closest I have managed to get is to use the rfc2307 backend with
> the
> ldap server set to stand-alone. Using this backend I see the correct
> UID
> within the /var/log/samba/log.winbindd-idmap logfile however, the
> primary_gid is always a null value and it looks like it tries to use
> ‘domain users’ group to calculate the gid even though the users I’m
> testing
> with have been set with a different primary group ID in active
> directory.
> This results in this line being present in the same logfile
> _wbint_Sids2UnixIDs: id 0 is out of range 50001-1410065407 for domain
> domain and no user being found when running ‘id
> firstname.lastname at domainb.local’
> 
> 
> 
> Here's my current smb.conf file with sensitive information removed.
> 
> 
> 
> 
> 
> [global]
> 
> log level = 10
> 
> log file = /var/log/samba/idmap.log
> 
> 
> 
> idmap config * : backend = tdb
> 
> idmap config * : range = 1000-4999
> 
> 
> 
> 
> 
> idmap config domainA : backend = ad
> 
> idmap config domainA : range = 5000-8000
> 
> idmap config domainA : unix_primary_group = yes
> 
> 
> 
> 
> 
> idmap config domainb : backend = rfc2307
> 
> idmap config domainb: range = 50001-9999999999
> 
> idmap config domainb: ldap_server = stand-alone
> 
> idmap config domainb : ldap_url = ldap://10.x.x.x/
> 
> idmap config prd : ldap_user_dn =
> CN=idmap,OU=STANDARD_ACCOUNTS,DC=domainb,DC=local
> 
> idmap config prd : bind_path_user =
> OU=STANDARD_ACCOUNTS,DC=domainb,DC=local
> 
> idmap config prd : bind_path_group =
> OU=UNIVERSAL_SECURITY_GROUPS,DC=domainb,DC=local
> 
> 
> 
> 
> 
> winbind refresh tickets = yes
> 
> kerberos method = secrets and keytab
> 
> winbind enum groups = no
> 
> winbind enum users = yes
> 
> workgroup = domaina
> 
> security = ads
> 
> 
> 
>         passdb backend = tdbsam
> 
> 
> 
>         printing = cups
> 
>         printcap name = cups
> 
>         load printers = yes
> 
>         cups options = raw
> 
> template homedir = /home/%U
> 
> template shell = /bin/bash
> 
> realm = DOMAINA.LOCAL
> 
> winbind use default domain = yes
> 
> winbind offline logon = yes

You refer to two domains, 'A' and 'B', yet your smb.conf has three 'A',
'B' and 'PRD'. You also have 'winbind use default domain = yes' , this
is not allowed in a multiple domain setup.

I take that you have tried the idmap 'ad' backend for 'B' and it didn't
work, this leads to a question: Do your users & groups in both domains
have uidNumber & gidNumber attributes and are the ones in domain 'A'
inside the '5000-8000' range and the ones in domain 'B' inside the
'50001-9999999999' range ?

Rowland