[Samba] Read RFC2307 attributes from trusted ActiveDirectory domain
Rowland Penny
rpenny at samba.org
Fri May 6 10:18:08 UTC 2022
On Wed, 2022-05-04 at 22:22 +0100, Robbie Cook via samba wrote:
> Dear all,
>
>
>
> I am having problems reading RFC2307 attributes from a trusted
> domain.
>
>
>
> My setup looks like this.
>
>
>
> The client machine where I’mtesting from resides in Domain A.
>
> Domain A contains several users all set with uidnumber & gidnumber
>
> Domain A trusts Domain B
>
> Domain B contains users set with uidnumber & gidnumber
>
>
>
> So far I have successfully managed to map the user accounts from
> Domain A
> and they show up with the correct uid/gid values set within
> ActiveDirectory
> whenever I run a getent passwd. However, for the life of me I cannot
> get
> users from Domain B to return the correct uid/gid. They do not show
> using
> getent passwd so I’m using ‘id first.name at domainb.local’ to test.
>
>
>
> The closest I have managed to get is to use the rfc2307 backend with
> the
> ldap server set to stand-alone. Using this backend I see the correct
> UID
> within the /var/log/samba/log.winbindd-idmap logfile however, the
> primary_gid is always a null value and it looks like it tries to use
> ‘domain users’ group to calculate the gid even though the users I’m
> testing
> with have been set with a different primary group ID in active
> directory.
> This results in this line being present in the same logfile
> _wbint_Sids2UnixIDs: id 0 is out of range 50001-1410065407 for domain
> domain and no user being found when running ‘id
> firstname.lastname at domainb.local’
>
>
>
> Here's my current smb.conf file with sensitive information removed.
>
>
>
>
>
> [global]
>
> log level = 10
>
> log file = /var/log/samba/idmap.log
>
>
>
> idmap config * : backend = tdb
>
> idmap config * : range = 1000-4999
>
>
>
>
>
> idmap config domainA : backend = ad
>
> idmap config domainA : range = 5000-8000
>
> idmap config domainA : unix_primary_group = yes
>
>
>
>
>
> idmap config domainb : backend = rfc2307
>
> idmap config domainb: range = 50001-9999999999
>
> idmap config domainb: ldap_server = stand-alone
>
> idmap config domainb : ldap_url = ldap://10.x.x.x/
>
> idmap config prd : ldap_user_dn =
> CN=idmap,OU=STANDARD_ACCOUNTS,DC=domainb,DC=local
>
> idmap config prd : bind_path_user =
> OU=STANDARD_ACCOUNTS,DC=domainb,DC=local
>
> idmap config prd : bind_path_group =
> OU=UNIVERSAL_SECURITY_GROUPS,DC=domainb,DC=local
>
>
>
>
>
> winbind refresh tickets = yes
>
> kerberos method = secrets and keytab
>
> winbind enum groups = no
>
> winbind enum users = yes
>
> workgroup = domaina
>
> security = ads
>
>
>
> passdb backend = tdbsam
>
>
>
> printing = cups
>
> printcap name = cups
>
> load printers = yes
>
> cups options = raw
>
> template homedir = /home/%U
>
> template shell = /bin/bash
>
> realm = DOMAINA.LOCAL
>
> winbind use default domain = yes
>
> winbind offline logon = yes
You refer to two domains, 'A' and 'B', yet your smb.conf has three 'A',
'B' and 'PRD'. You also have 'winbind use default domain = yes' , this
is not allowed in a multiple domain setup.
I take that you have tried the idmap 'ad' backend for 'B' and it didn't
work, this leads to a question: Do your users & groups in both domains
have uidNumber & gidNumber attributes and are the ones in domain 'A'
inside the '5000-8000' range and the ones in domain 'B' inside the
'50001-9999999999' range ?
Rowland
More information about the samba
mailing list