samba - Mar 2018 - mapping sid to uid in member server

Hello
I am deploying a samba network with a AD DC and a member server for file
sharing.
Samba version 4.5 on Debian 8.
In AD DC everything goes fine.
In member server, smb.conf:
        netbios name = ADFS1
        realm = CGSIBAD.SC
        workgroup = CGSIBAD
        client signing = yes
        client use spnego = yes
        kerberos method = secrets and keytab
        server role = member server
        idmap config * : backend = tdb
        idmap config CGSIBAD : backend = ad
        winbind nss info = rfc2307
        idmap_ldb:use rfc2307 = yes
        security = ads
        require strong key = yes
        client schannel = yes
        winbind expand groups = 1
        winbind enum groups = yes
        winbind enum users = yes

In the member server when I run wbinfo -n username I get de SID
correctly, but when
wbinfo -S S-1-5-21-2356952658-3999694786-159306407-1287
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2356952658-3999694786-159306407-1287 to uid

If I modify smb.conf including ranges:
        netbios name = ADFS1
        realm = CGSIBAD.SC
        workgroup = CGSIBAD
        client signing = yes
        client use spnego = yes
        kerberos method = secrets and keytab
        server role = member server
        idmap config * : backend = tdb
        idmap config * : range = 11000-11999
        idmap config CGSIBAD : backend = ad
        idmap config CGSIBAD : range = 10000-10999
        winbind nss info = rfc2307
        idmap_ldb:use rfc2307 = yes
        security = ads
        require strong key = yes
        client schannel = yes
        winbind expand groups = 4
        winbind enum groups = yes
        winbind enum users = yes

then mapping works correctly; so obviously I have some misunderstanding
that I need to clarify: I thought that by using ad backend, all
sid/uid/gid queries were retrieved from AD DC domain server, so that it
was no necessary specify any uid range.

After a lot of digging I could not find any documentation regarding this
point, so would you be so kind of addressing me to some source of
information about this point?

Regards

Jose Luis

On Thu, 22 Mar 2018 08:37:16 +0100
Jose Luis Suarez via samba <samba at lists.samba.org> wrote:
> Hello
> I am deploying a samba network with a AD DC and a member server for
> file sharing.
> Samba version 4.5 on Debian 8.
> In AD DC everything goes fine.
> In member server, smb.conf:
>         netbios name = ADFS1
>         realm = CGSIBAD.SC
>         workgroup = CGSIBAD
>         client signing = yes
>         client use spnego = yes
>         kerberos method = secrets and keytab
>         server role = member server
>         idmap config * : backend = tdb
>         idmap config CGSIBAD : backend = ad
>         winbind nss info = rfc2307
>         idmap_ldb:use rfc2307 = yes
>         security = ads
>         require strong key = yes
>         client schannel = yes
>         winbind expand groups = 1
>         winbind enum groups = yes
>         winbind enum users = yes
> 
> In the member server when I run wbinfo -n username I get de SID
> correctly, but when
> wbinfo -S S-1-5-21-2356952658-3999694786-159306407-1287
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-2356952658-3999694786-159306407-1287
> to uid
> 
> If I modify smb.conf including ranges:
>         netbios name = ADFS1
>         realm = CGSIBAD.SC
>         workgroup = CGSIBAD
>         client signing = yes
>         client use spnego = yes
>         kerberos method = secrets and keytab
>         server role = member server
>         idmap config * : backend = tdb
>         idmap config * : range = 11000-11999
>         idmap config CGSIBAD : backend = ad
>         idmap config CGSIBAD : range = 10000-10999
>         winbind nss info = rfc2307
>         idmap_ldb:use rfc2307 = yes
>         security = ads
>         require strong key = yes
>         client schannel = yes
>         winbind expand groups = 4
>         winbind enum groups = yes
>         winbind enum users = yes
> 
> then mapping works correctly; so obviously I have some
> misunderstanding that I need to clarify: I thought that by using ad
> backend, all sid/uid/gid queries were retrieved from AD DC domain
> server, so that it was no necessary specify any uid range.
> 
> After a lot of digging I could not find any documentation regarding
> this point, so would you be so kind of addressing me to some source of
> information about this point?
> 
> Regards
> 
> Jose Luis
> 
I think you need a bigger spade ;-)

Did you miss this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba

Rowland