[Samba] Need help with idmap-configuration

Peter Koch sambamailinglist at gmail.com
Thu Aug 31 18:11:13 UTC 2023 

Hi,

I'm migrating a samba3-server that is used both
as a NT4-DC and a filesver into a pair of samba4
servers, one should become the new AD-DC and the
other one should be the new fileserver.

The new AD-DC seems to work fine. I created all
local unix users and unix groups on the new AD-DC
before I started the classic upgrade and deleted
all of them after the update was finished. That
way the classic upgrade script was able to create
all group-memberships within the AD LDAP-database.

There's no entry for user koch within /etc/passwd
nevertheless "getent passwd koch" will show one
entry for user NAV\koch and this entry shows uid
10024. And that's exactly the uid that unix user
koch has on the old samba3 server.

"getent passwd koch"-output on old NT4-DC:
koch:x:10012:10001:Peter Koch:/home/koch:/bin/bash
This is a line from /etc/passwd

"getent passwd koch"-output on new AD-DC:
NAV\koch:*:10012:100::/home/NAV/koch:/bin/false

The new fileserver had no problems to join the
domain. And I can logon into my NAV\koch domain
accout from any workstation. So all user and
machine accounts must be OK.

But I cannot access the shares on the new
fileserver. If I do the follwoing error-messages
is written to log.smbd on the fileserver:

[2023/08/31 14:38:16.714507,  0] 
../../source3/auth/auth_util.c:1927(check_account)
   check_account: Failed to convert SID 
S-1-5-21-1415314133-2460755331-2761616138-21024 to a UID 
(dom_user[NAV\koch])

and Windows-10 tells me theat either the username
or passord is incorrect. If I enter user koch with
a fake password then again Windows-10 tells me that
either the username or passord is incorrect but no
error-message is written to log.smbd. If I try to
logon with user koch and correct password, then
again the above error message is written to log.smbd.

So I'm sure the new fileserver validates the password
against the AD-DC. But after having validated the
password the new fileserver cannot determine what
unixid should be used for user NAV\koch.

Consequently  "getent passwd koch"  shows empty
output on the new fileserver.

I have tried all idmap backends with all combinations
of "idmap config NAV:something"-parameters and my final
conclusion is: Instead of trying more and more
idmap paramters I should better find someone that knows
how this idmapping is implemented:

In my case the uid of a domain user can be determined
from the RID-value and vice versa, namely:

UID=(RID-1000)/2  and  RID=UID*2+1000

And there is a similar relationshipb between domain
groups and GIDs, namely:

GID=(RID-1001)/2  and  RID=GID*2+1001

Can someone please tell me how to config the idmapping
in smb.conf to make this kind of mapping work.

Here's one of the many configurations I tried:

         idmap config NAV:backend = rid
         idmap config NAV:range = 1000 - 99999
         # idmap config NAV:schema_mode = rfc2307
         # idmap config NAV:unix_nss_info = yes
         # idmap config NAV:unix_primary_group = yes

Kind regards

Peter

More information about the samba mailing list