samba - Feb 2017 - Samba user mapping DC <-> DC Member

Hello,

I try to migrade nt4 to ad.
And I have import my old users to AD. The User ID starts at 1001 up to 7187.

On the DC I see the user ID, on the member I see a wrong ID.

root at ad:~# getent passwd user
FOO\user:*:2029:513:System User:/home/FOO/user:/bin/false

root at member:~# getent passwd user
FOO\user:*:4294967295:3002:System User:/home/FOO/user:/bin/false

My config on member

root at member:~# cat /etc/samba/smb.conf
[global]
       security = ADS
       workgroup = KES
       realm = KES

       log file = /var/log/samba/%m.log
       log level = 3

# idmap config for the SAMDOM domain
idmap config kes:backend = ad
idmap config kes:schema_mode = rfc2307
idmap config kes:range = 1001-999999

  domain master = no
  local master = no
  preferred master = no
  os level = 0

  winbind use default domain = yes

  client use spnego = yes
  client ntlmv2 auth = yes
  encrypt passwords = yes
  restrict anonymous = 2

An other Problem ios that i only see users, when "winbind use default
domain = yes" ist set.

Best Regards
basti

On Thu, 2 Feb 2017 15:38:48 +0100
basti via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I try to migrade nt4 to ad.
> And I have import my old users to AD. The User ID starts at 1001 up
> to 7187.
> 
> On the DC I see the user ID, on the member I see a wrong ID.
> 
> root at ad:~# getent passwd user
> FOO\user:*:2029:513:System User:/home/FOO/user:/bin/false
> 
> root at member:~# getent passwd user
> FOO\user:*:4294967295:3002:System User:/home/FOO/user:/bin/false
> 
> My config on member
> 
> root at member:~# cat /etc/samba/smb.conf
> [global]
>        security = ADS
>        workgroup = KES
>        realm = KES
> 
>        log file = /var/log/samba/%m.log
>        log level = 3
> 
> # idmap config for the SAMDOM domain
> idmap config kes:backend = ad
> idmap config kes:schema_mode = rfc2307
> idmap config kes:range = 1001-999999
> 
>   domain master = no
>   local master = no
>   preferred master = no
>   os level = 0
> 
>   winbind use default domain = yes
> 
>   client use spnego = yes
>   client ntlmv2 auth = yes
>   encrypt passwords = yes
>   restrict anonymous = 2
> 
> An other Problem ios that i only see users, when "winbind use default
> domain = yes" ist set.
> 
> Best Regards
> basti
> 
Using the same name for workgroup and realm isn't really a good idea,
you should be using something like KES.TLD and this should also be the
dns domain for your Samba domain.

You are also missing the mapping for the '*' domain
You are not getting the users because 'Domain Users' has the gidNumber
'513' and the range for 'kes is set to '1001-999999'

Is there anyway you can change the IDs you are using ?

All in all, I think you need to go and read the Samba wiki:

https://wiki.samba.org/index.php/Main_Page

All the info is there, any questions, please ask ;-)

Rowland

I have add

idmap config * : backend = tdb
idmap config * : range = 1-512

and change

idmap config kes:range = 512-999999

Restart winbind and there is still the same problem.


On 02.02.2017 16:14, Rowland Penny via samba wrote:
> On Thu, 2 Feb 2017 15:38:48 +0100
> basti via samba <samba at lists.samba.org> wrote:
> 
>> Hello,
>>
>> I try to migrade nt4 to ad.
>> And I have import my old users to AD. The User ID starts at 1001 up
>> to 7187.
>>
>> On the DC I see the user ID, on the member I see a wrong ID.
>>
>> root at ad:~# getent passwd user
>> FOO\user:*:2029:513:System User:/home/FOO/user:/bin/false
>>
>> root at member:~# getent passwd user
>> FOO\user:*:4294967295:3002:System User:/home/FOO/user:/bin/false
>>
>> My config on member
>>
>> root at member:~# cat /etc/samba/smb.conf
>> [global]
>>        security = ADS
>>        workgroup = KES
>>        realm = KES
>>
>>        log file = /var/log/samba/%m.log
>>        log level = 3
>>
>> # idmap config for the SAMDOM domain
>> idmap config kes:backend = ad
>> idmap config kes:schema_mode = rfc2307
>> idmap config kes:range = 1001-999999
>>
>>   domain master = no
>>   local master = no
>>   preferred master = no
>>   os level = 0
>>
>>   winbind use default domain = yes
>>
>>   client use spnego = yes
>>   client ntlmv2 auth = yes
>>   encrypt passwords = yes
>>   restrict anonymous = 2
>>
>> An other Problem ios that i only see users, when "winbind use
default
>> domain = yes" ist set.
>>
>> Best Regards
>> basti
>>
> 
> Using the same name for workgroup and realm isn't really a good idea,
> you should be using something like KES.TLD and this should also be the
> dns domain for your Samba domain.
> 
> You are also missing the mapping for the '*' domain
> You are not getting the users because 'Domain Users' has the
gidNumber
> '513' and the range for 'kes is set to '1001-999999'
> 
> Is there anyway you can change the IDs you are using ?
> 
> All in all, I think you need to go and read the Samba wiki:
> 
> https://wiki.samba.org/index.php/Main_Page
> 
> All the info is there, any questions, please ask ;-)
> 
> Rowland
>