Francesco Malvezzi
2018-Feb-16 11:12 UTC
[Samba] idmap config ad: can't resolve domain users' uids
dear experts, I would like to setup idmap config ad. I have already the uidNumber attribute populated on AD. But there is something very basic wrong with my config: [global] netbios name = ADDC realm = EXAMPLE.ORG workgroup = EXAMPLEAD dns forwarder = #trimmed server role = active directory domain controller log level = 3 log file = /var/log/samba/log.%m interfaces = eth0, lo bind interfaces only = Yes tls enabled = yes tls keyfile = /opt/samba/private/tls/addc.key tls certfile = /etc/ssl/certs/addc.pem tls cafile = /etc/ssl/certs/DigiCertCA.crt tls verify peer = ca_only printcap name = /dev/null ldap server require strong auth = allow_sasl_over_tls # idmap config for the EXAMPLEAD domain idmap config EXAMPLEAD : backend = ad idmap config EXAMPLEAD : schema_mode = rfc2307 idmap config EXAMPLEAD : range = 1005-999999 idmap config * : backend = tdb idmap config * : range = 2000000-3999999 # Template settings for login shell and home directory template shell = /bin/bash template homedir = /home/%U when I try to get the uid from the sid, domain users aren't apparently in EXAMPLEAD: francesco at addc:/opt/samba$ ./bin/wbinfo --own-domain EXAMPLEAD francesco at addc:/opt/samba$ ./bin/wbinfo -S S-1-5-21-3239498231-402109693-a-few-numbers-27015 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-3239498231-402109693-a-few-numbers-27015 to uid (if I'm correct this error doesn't mean user is missing the uidNumber attribute. It means: user is part of an unknown domain). moreover, checking config: francesco at addc:/opt/samba$ ./bin/testparm -v Load smb config files from /opt/samba/etc/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[netlogon]" Processing section "[sysvol]" Loaded services file OK. ERROR: The idmap range for the domain * (tdb) overlaps with the range of EXAMMPLEAD (ad)! Server role: ROLE_ACTIVE_DIRECTORY_DC [...] How is it possible * (tdb) and EXAMPLEAD (ad) overlap? ad range is supposed to be 1005-999999 and it's well disjoint to tdb range 2000000-3999999. What am I overseeing? thank you, Francesco
Rowland Penny
2018-Feb-16 11:31 UTC
[Samba] idmap config ad: can't resolve domain users' uids
On Fri, 16 Feb 2018 12:12:32 +0100 Francesco Malvezzi via samba <samba at lists.samba.org> wrote:> dear experts, > > I would like to setup idmap config ad. I have already the uidNumber > attribute populated on AD. > > But there is something very basic wrong with my config:Yes, there is something wrong ;-) See below> > [global] > netbios name = ADDC > realm = EXAMPLE.ORG > workgroup = EXAMPLEAD > dns forwarder = #trimmed > server role = active directory domain controller > log level = 3 > log file = /var/log/samba/log.%m > interfaces = eth0, lo > bind interfaces only = Yes > tls enabled = yes > tls keyfile = /opt/samba/private/tls/addc.key > tls certfile = /etc/ssl/certs/addc.pem > tls cafile = /etc/ssl/certs/DigiCertCA.crt > tls verify peer = ca_only > printcap name = /dev/null > ldap server require strong auth = allow_sasl_over_tls >Okay to here.> # idmap config for the EXAMPLEAD domain > idmap config EXAMPLEAD : backend = ad > idmap config EXAMPLEAD : schema_mode = rfc2307 > idmap config EXAMPLEAD : range = 1005-999999 > > idmap config * : backend = tdb > idmap config * : range = 2000000-3999999You cannot use the above lines on a DC, they do not work! A DC uses idmap.ldb OR uidNumber & gidNumber attributes from AD What OS ? What version of Samba ? Packages or self compiled ? Have you set up libnss_winbind ? Rowland