samba - Feb 2018 - idmap config ad: can't resolve domain users' uids

> On Fri, 16 Feb 2018 12:12:32 +0100
> Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> 
>> dear experts,
>> 
>> I would like to setup idmap config ad. I have already the uidNumber
>> attribute populated on AD.
>> 
>> But there is something very basic wrong with my config:
> 
> Yes, there is something wrong ;-)
> See below
> 
[...]
>> 
> 
> Okay to here.
> 
>> 	# idmap config for the EXAMPLEAD domain
>> 	idmap config EXAMPLEAD : backend = ad
>> 	idmap config EXAMPLEAD : schema_mode = rfc2307
>> 	idmap config EXAMPLEAD : range = 1005-999999
>> 
>> 	idmap config * : backend = tdb
>> 	idmap config * : range = 2000000-3999999
> 
> You cannot use the above lines on a DC, they do not work!
> A DC uses idmap.ldb OR uidNumber & gidNumber attributes from AD
should I remove tout-court this part?
> 
> What OS ?
Debian GNU/Linux 9 (stretch)
> What version of Samba ?
4.7.5
> Packages or self compiled ?
self compiled
> Have you set up libnss_winbind ?
not yet, but I was aiming at sssd,

thank you,

Francesco

On Fri, 16 Feb 2018 12:39:37 +0100
Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> > On Fri, 16 Feb 2018 12:12:32 +0100
> > Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> > 
> >> dear experts,
> >> 
> >> I would like to setup idmap config ad. I have already the
uidNumber
> >> attribute populated on AD.
> >> 
> >> But there is something very basic wrong with my config:
> > 
> > Yes, there is something wrong ;-)
> > See below
> > 
> [...]
> >> 
> > 
> > Okay to here.
> > 
> >> 	# idmap config for the EXAMPLEAD domain
> >> 	idmap config EXAMPLEAD : backend = ad
> >> 	idmap config EXAMPLEAD : schema_mode = rfc2307
> >> 	idmap config EXAMPLEAD : range = 1005-999999
> >> 
> >> 	idmap config * : backend = tdb
> >> 	idmap config * : range = 2000000-3999999
> > 
> > You cannot use the above lines on a DC, they do not work!
> > A DC uses idmap.ldb OR uidNumber & gidNumber attributes from AD
> 
> should I remove tout-court this part?
Not sure I understand that, but it sounds like you are asking if you
should remove the lines, if so, the answer is yes.
> 
> > 
> > What OS ?
> 
> Debian GNU/Linux 9 (stretch)
> 
> > What version of Samba ?
> 
> 4.7.5
> 
> > Packages or self compiled ?
> 
> self compiled
Why ? You could use the packages from Louis
> 
> > Have you set up libnss_winbind ?
That is why it doesn't work ;-)
> 
> not yet, but I was aiming at sssd,
> 
Okay, but if you get authentication problems after installing sssd, you
should ask on the sssd-users mailing list, sssd has nothing to do with
Samba.

Rowland

Il 16/02/18 12:58, Rowland Penny via samba ha scritto:
> On Fri, 16 Feb 2018 12:39:37 +0100
> Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> 
[...]
>>
>> should I remove tout-court this part?
> 
> Not sure I understand that, but it sounds like you are asking if you
> should remove the lines, if so, the answer is yes.
You understood correctly.

[...]
>>
>> self compiled
> 
> Why ? You could use the packages from Louis
I'll give it a try. I've got the habit to place software in /opt and
I'm
pretty happy and updating when a newer release comes out is easy thanks
to ansible,
> 
>>
>>> Have you set up libnss_winbind ?
> 
> That is why it doesn't work ;-)
fine, thank you for your time.

So just to recap: there were two problems:

1) the syntax mistake in smb.conf pointed up before;
2) a logical mistake because wbinfo can't possibily work without the
full setup that includes the nss part.

Thank you,

Francesco