[Samba] Issues with AD trusts and UID/GID ranges

Rowland Penny rpenny at samba.org
Thu Nov 2 16:46:42 UTC 2023 

On Thu, 2 Nov 2023 12:30:51 -0400
Anthony Halliday via samba <samba at lists.samba.org> wrote:

> Hello All,
> I'm having issues joining some Ubuntu servers to an Active Directory
> domain with trusts. All my machines are running samba and winbind. I
> have a two domains, we'll call them CORPORATE and CUSTOMER. CUSTOMER
> has a one way trust with CORPORATE, such that any resources CUSTOMER
> can access, CORPORATE can as well, but not vice-versa. On all of my
> CORPORATE machines, users are assigned UIDs/GIDs in the range
> 10000-20000, and this has worked well so far. On CUSTOMER machines,
> I'd like to make it so that CORPORATE users are in the range
> 10000-20000 (just like on my CORPORATE machines), and CUSTOMER users
> are in the range 20001-30000. However, for some reason, with my
> current configs (attached), after joining to the domain, all users
> end up in the 30001-40000 range assigned to *​. I tried not defining
> a range for *​, but testparm​ gave me errors and samba wouldn't
> launch. I'm a complete amateur at this, so I would appreciate any
> help you could offer. Thanks.
> 
> krb5.conf:
> ```
> [libdefaults]
>        dns_lookup_realm = false         
> 	ticket_lifetime = 24h        
> 	renew_lifetime = 7d         
> 	forwardable = true         
> 	rdns = false         
> 	default_realm = CUSTOMER.TLD
>        default_ccache_name = KEYRING:persistent:%{uid} [realms]
> CUSTOMER.TLD = {                 
> 		kdc = ad.customer.tld
>                admin_server = ad.customer.tld
>                default_domain = customer.tld
>                pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
> pkinit_cert_match = <KU>digitalSignature                 
> 		pkinit_kdc_hostname = ad.customer.tld
>        }
>        CORPORATE.TLD = {                 
> 		kdc = ad.corporate.tld
>                admin_server = ad.corporate.tld
>                default_domain = corporate.tld
>                pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
> pkinit_cert_match = <KU>digitalSignature                 
> 		pkinit_kdc_hostname = ad.corporate.tld
>        }
> [domain_realm]
>        .customer.tld = CUSTOMER.TLD
>        customer.tld = CUSTOMER.TLD
>        .corporate.tld = CORPORATE.TLD
>        corporate.tld = CORPORATE.TLD
> ```
> 
> smb.conf:
> ```
> [global]
>        workgroup = CUSTOMER
>        usershare allow guests = NO         
> 	kerberos method = secrets and keytab         
> 	realm = CUSTOMER.TLD
>        security = ADS         
> 	idmap config *:range = 30001-40000

The default range '*' is meant for the Well Known Users (of which there
are less than 200) and anything outside the DOMAINS set in smb.conf
(basically 0), so why do you have a range that is about 10000 ?

>        idmap config CUSTOMER:range = 20001-30000
>        idmap config CORPORATE:range = 10000-20000

Where are your backend settings for the DOMAINS ?

As you appear to have uidNumber & gidNumber attributes (that is the way
it sounds), I would expect lines similar to these:

      idmap config CORPORATE: backend = ad
      idmap config CORPORATE:range = 10000-20000
      idmap config CORPORATE: backend = rid
      idmap config CUSTOMER:range = 20001-30000

>        template homedir = /home/%D/%U         
> 	template shell = /bin/bash         
> 	winbind use default domain=true

Sorry, but you cannot use 'winbind use default domain = true' with
multiple domains.
 
> 	winbind offline logon = yes         
> 	winbind refresh tickets = yes
>        winbind scan trusted domains = yes
> ```

Rowland

More information about the samba mailing list