samba - Feb 2018 - idmap config ad: can't resolve domain users' uids

dear experts,

I would like to setup idmap config ad. I have already the uidNumber
attribute populated on AD.

But there is something very basic wrong with my config:

[global]
	netbios name = ADDC
	realm = EXAMPLE.ORG
	workgroup = EXAMPLEAD
	dns forwarder = #trimmed
	server role = active directory domain controller
	log level = 3
        log file = /var/log/samba/log.%m
        interfaces = eth0, lo
        bind interfaces only = Yes
        tls enabled  = yes
        tls keyfile  = /opt/samba/private/tls/addc.key
        tls certfile = /etc/ssl/certs/addc.pem
        tls cafile   = /etc/ssl/certs/DigiCertCA.crt
	tls verify peer = ca_only
        printcap name = /dev/null
        ldap server require strong auth = allow_sasl_over_tls

	# idmap config for the EXAMPLEAD domain
	idmap config EXAMPLEAD : backend = ad
	idmap config EXAMPLEAD : schema_mode = rfc2307
	idmap config EXAMPLEAD : range = 1005-999999

	idmap config * : backend = tdb
	idmap config * : range = 2000000-3999999
	# Template settings for login shell and home directory
	template shell = /bin/bash
	template homedir = /home/%U

when I try to get the uid from the sid, domain users aren't apparently
in EXAMPLEAD:

francesco at addc:/opt/samba$ ./bin/wbinfo --own-domain
EXAMPLEAD

francesco at addc:/opt/samba$ ./bin/wbinfo -S
S-1-5-21-3239498231-402109693-a-few-numbers-27015
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-3239498231-402109693-a-few-numbers-27015
to uid

(if I'm correct this error doesn't mean user is missing the uidNumber
attribute. It means: user is part of an unknown domain).

moreover, checking config:
francesco at addc:/opt/samba$ ./bin/testparm -v
Load smb config files from /opt/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
ERROR: The idmap range for the domain * (tdb) overlaps with the range of
EXAMMPLEAD (ad)!

Server role: ROLE_ACTIVE_DIRECTORY_DC
[...]

How is it possible * (tdb) and EXAMPLEAD (ad) overlap?

ad range is supposed to be 1005-999999 and it's well disjoint to tdb
range 2000000-3999999.

What am I overseeing?

thank you,

Francesco

On Fri, 16 Feb 2018 12:12:32 +0100
Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> dear experts,
> 
> I would like to setup idmap config ad. I have already the uidNumber
> attribute populated on AD.
> 
> But there is something very basic wrong with my config:
Yes, there is something wrong ;-)
See below
> 
> [global]
> 	netbios name = ADDC
> 	realm = EXAMPLE.ORG
> 	workgroup = EXAMPLEAD
> 	dns forwarder = #trimmed
> 	server role = active directory domain controller
> 	log level = 3
>         log file = /var/log/samba/log.%m
>         interfaces = eth0, lo
>         bind interfaces only = Yes
>         tls enabled  = yes
>         tls keyfile  = /opt/samba/private/tls/addc.key
>         tls certfile = /etc/ssl/certs/addc.pem
>         tls cafile   = /etc/ssl/certs/DigiCertCA.crt
> 	tls verify peer = ca_only
>         printcap name = /dev/null
>         ldap server require strong auth = allow_sasl_over_tls
> 
Okay to here.
> 	# idmap config for the EXAMPLEAD domain
> 	idmap config EXAMPLEAD : backend = ad
> 	idmap config EXAMPLEAD : schema_mode = rfc2307
> 	idmap config EXAMPLEAD : range = 1005-999999
> 
> 	idmap config * : backend = tdb
> 	idmap config * : range = 2000000-3999999
You cannot use the above lines on a DC, they do not work!
A DC uses idmap.ldb OR uidNumber & gidNumber attributes from AD

What OS ?
What version of Samba ?
Packages or self compiled ?
Have you set up libnss_winbind ?

Rowland