Francesco Malvezzi
2018-Feb-16 11:12 UTC
[Samba] idmap config ad: can't resolve domain users' uids
dear experts,
I would like to setup idmap config ad. I have already the uidNumber
attribute populated on AD.
But there is something very basic wrong with my config:
[global]
netbios name = ADDC
realm = EXAMPLE.ORG
workgroup = EXAMPLEAD
dns forwarder = #trimmed
server role = active directory domain controller
log level = 3
log file = /var/log/samba/log.%m
interfaces = eth0, lo
bind interfaces only = Yes
tls enabled = yes
tls keyfile = /opt/samba/private/tls/addc.key
tls certfile = /etc/ssl/certs/addc.pem
tls cafile = /etc/ssl/certs/DigiCertCA.crt
tls verify peer = ca_only
printcap name = /dev/null
ldap server require strong auth = allow_sasl_over_tls
# idmap config for the EXAMPLEAD domain
idmap config EXAMPLEAD : backend = ad
idmap config EXAMPLEAD : schema_mode = rfc2307
idmap config EXAMPLEAD : range = 1005-999999
idmap config * : backend = tdb
idmap config * : range = 2000000-3999999
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
when I try to get the uid from the sid, domain users aren't apparently
in EXAMPLEAD:
francesco at addc:/opt/samba$ ./bin/wbinfo --own-domain
EXAMPLEAD
francesco at addc:/opt/samba$ ./bin/wbinfo -S
S-1-5-21-3239498231-402109693-a-few-numbers-27015
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-3239498231-402109693-a-few-numbers-27015
to uid
(if I'm correct this error doesn't mean user is missing the uidNumber
attribute. It means: user is part of an unknown domain).
moreover, checking config:
francesco at addc:/opt/samba$ ./bin/testparm -v
Load smb config files from /opt/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
ERROR: The idmap range for the domain * (tdb) overlaps with the range of
EXAMMPLEAD (ad)!
Server role: ROLE_ACTIVE_DIRECTORY_DC
[...]
How is it possible * (tdb) and EXAMPLEAD (ad) overlap?
ad range is supposed to be 1005-999999 and it's well disjoint to tdb
range 2000000-3999999.
What am I overseeing?
thank you,
Francesco
Rowland Penny
2018-Feb-16 11:31 UTC
[Samba] idmap config ad: can't resolve domain users' uids
On Fri, 16 Feb 2018 12:12:32 +0100 Francesco Malvezzi via samba <samba at lists.samba.org> wrote:> dear experts, > > I would like to setup idmap config ad. I have already the uidNumber > attribute populated on AD. > > But there is something very basic wrong with my config:Yes, there is something wrong ;-) See below> > [global] > netbios name = ADDC > realm = EXAMPLE.ORG > workgroup = EXAMPLEAD > dns forwarder = #trimmed > server role = active directory domain controller > log level = 3 > log file = /var/log/samba/log.%m > interfaces = eth0, lo > bind interfaces only = Yes > tls enabled = yes > tls keyfile = /opt/samba/private/tls/addc.key > tls certfile = /etc/ssl/certs/addc.pem > tls cafile = /etc/ssl/certs/DigiCertCA.crt > tls verify peer = ca_only > printcap name = /dev/null > ldap server require strong auth = allow_sasl_over_tls >Okay to here.> # idmap config for the EXAMPLEAD domain > idmap config EXAMPLEAD : backend = ad > idmap config EXAMPLEAD : schema_mode = rfc2307 > idmap config EXAMPLEAD : range = 1005-999999 > > idmap config * : backend = tdb > idmap config * : range = 2000000-3999999You cannot use the above lines on a DC, they do not work! A DC uses idmap.ldb OR uidNumber & gidNumber attributes from AD What OS ? What version of Samba ? Packages or self compiled ? Have you set up libnss_winbind ? Rowland