[Samba] Need help with idmap-configuration

Rowland Penny rpenny at samba.org
Thu Aug 31 19:20:13 UTC 2023 

On Thu, 31 Aug 2023 20:11:13 +0200
Peter Koch via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> I'm migrating a samba3-server that is used both
> as a NT4-DC and a filesver into a pair of samba4
> servers, one should become the new AD-DC and the
> other one should be the new fileserver.
> 
> The new AD-DC seems to work fine. I created all
> local unix users and unix groups on the new AD-DC
> before I started the classic upgrade and deleted
> all of them after the update was finished. That
> way the classic upgrade script was able to create
> all group-memberships within the AD LDAP-database.
> 
> There's no entry for user koch within /etc/passwd
> nevertheless "getent passwd koch" will show one
> entry for user NAV\koch and this entry shows uid
> 10024. And that's exactly the uid that unix user
> koch has on the old samba3 server.
> 
> "getent passwd koch"-output on old NT4-DC:
> koch:x:10012:10001:Peter Koch:/home/koch:/bin/bash
> This is a line from /etc/passwd
> 
> "getent passwd koch"-output on new AD-DC:
> NAV\koch:*:10012:100::/home/NAV/koch:/bin/false
> 
> The new fileserver had no problems to join the
> domain. And I can logon into my NAV\koch domain
> accout from any workstation. So all user and
> machine accounts must be OK.
> 
> But I cannot access the shares on the new
> fileserver. If I do the follwoing error-messages
> is written to log.smbd on the fileserver:
> 
> [2023/08/31 14:38:16.714507,  0] 
> ../../source3/auth/auth_util.c:1927(check_account)
>    check_account: Failed to convert SID 
> S-1-5-21-1415314133-2460755331-2761616138-21024 to a UID 
> (dom_user[NAV\koch])
> 
> and Windows-10 tells me theat either the username
> or passord is incorrect. If I enter user koch with
> a fake password then again Windows-10 tells me that
> either the username or passord is incorrect but no
> error-message is written to log.smbd. If I try to
> logon with user koch and correct password, then
> again the above error message is written to log.smbd.
> 
> So I'm sure the new fileserver validates the password
> against the AD-DC. But after having validated the
> password the new fileserver cannot determine what
> unixid should be used for user NAV\koch.
> 
> Consequently  "getent passwd koch"  shows empty
> output on the new fileserver.
> 
> I have tried all idmap backends with all combinations
> of "idmap config NAV:something"-parameters and my final
> conclusion is: Instead of trying more and more
> idmap paramters I should better find someone that knows
> how this idmapping is implemented:

You rang ;-)

> 
> In my case the uid of a domain user can be determined
> from the RID-value and vice versa, namely:
> 
> UID=(RID-1000)/2  and  RID=UID*2+1000

That is the very old way of doing things.

> 
> And there is a similar relationshipb between domain
> groups and GIDs, namely:
> 
> GID=(RID-1001)/2  and  RID=GID*2+1001
> 
> Can someone please tell me how to config the idmapping
> in smb.conf to make this kind of mapping work.
> 
> Here's one of the many configurations I tried:
> 
>          idmap config NAV:backend = rid
>          idmap config NAV:range = 1000 - 99999
>          # idmap config NAV:schema_mode = rfc2307
>          # idmap config NAV:unix_nss_info = yes
>          # idmap config NAV:unix_primary_group = yes

You upgraded from an NT4-style PDC to an AD domain, so it is very
likely that you now have uidNumber & gidNumber attributes in AD. The
fact that your user on a DC has the ID '10012' instead of an ID in the
'3000000' range backs this up, but because Domain Users is getting the
default ID '100' means it hasn't got a gidNumber attribute.

The first thing you need to do is, give Domain users a gidNumber
attribute, you can use 'samba-tool group addunixattrs' to do this, you
just need to find the next available gidNumber.
Next find the lowest uidNumber or gidNumber in AD and then the highest,
once you have these, add these lines to the smb.conf on the Unix
domain member:

idmap config * : backend = tdb
idmap config * : range = ${range_based_on_NAV_range}
idmap config NAV : backend = ad
idmap config NAV : schema_mode = rfc2307
idmap config NAV : unix_nss_info = yes
idmap config NAV : range = ${LOWEST}-${HIGHEST}

Where ${LOWEST} is the lowest uidNumber or gidNumber and ${HIGHEST} is
the highest uidNumber/gidNumber plus a large number, this is to allow
for growth. You set ${range_based_on_NAV_range} to be below the NAV
range if the NAV range will allow this (but it should be above 1000) or
well above the NAV range if it doesn't.

If Domain Users does not have a gidNumber, the 'ad' idmap backend will
not work.

Any questions, please ask.

Rowland

More information about the samba mailing list