So, after reading many samba setup pages I was under the impression that “properly” configuring idmap for an AD domain should look something like this security = ADS idmap config * : backend = tdb idmap config * : range = 10000-50000 # DOMAIN realm = DOMAIN.COM<http://DOMAIN.COM> workgroup = DOMAIN idmap config DOMAIN:backend = ad idmap config DOMAIN:range = 100000-500000 idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:unix_nss_info = yes idmap config DOMAIN:default = yes However, I’ve been wrestling with this for weeks now without success. With these config lines users are not able to log in and wbinfo -i user yields the error failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND If I comment out the domain lines and expand the default range to accommodate the domain range — idmap config * : range 100000-500000 — wbinfo works and users can log in. My problem: The volumes that make up the shares will be shared from more than one server. With only the default map configured I seem to get server specific mapping. That is when I mount the same volume on another server the filesystem permissions are hosed. Below is the full smb.conf file. I assume I’m doing something wrong but can’t for the life of me figure out what that is. Has anyone confronted this before? OS: Ubuntu 18.04 Samba: 4.9.8 Winbind installed smb.conf (names changed to protect the guilty!) [global] # Server bind interfaces only = yes server min protocol = SMB2 server string = %h server (Samba, Ubuntu) allow trusted domains = yes wins support = no dns proxy = no # Authentication server role = member server passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = no # Domains # Default kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab security = ADS idmap config * : backend = tdb idmap config * : range = 100000-500000 # winbind enum users = yes # winbind enum groups = yes winbind nested groups = true winbind use default domain = yes winbind refresh tickets = yes # winbind trusted domains only = yes winbind nss info = rfc2307 # DOMAIN realm = DOMAIN.COM<http://DOMAIN.COM> workgroup = DOMAIN # idmap config DOMAIN:backend = ad # idmap config DOMAIN:range = 100000-500000 # idmap config DOMAIN:schema_mode = rfc2307 # idmap config DOMAIN:unix_nss_info = yes # idmap config DOMAIN:default = yes # Client template homedir = /home/%U template shell = /bin/bash client signing = yes client use spnego = yes client ntlmv2 auth = yes client ipc min protocol = SMB2 encrypt passwords = true restrict anonymous = 2 keepalive = 60 deadtime = 10 disable netbios = yes smb ports = 445 unix extensions = no # Logging log level = 10 log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d # Includes # IP Based Include include = /etc/samba/smb.conf.%i
On 30/05/2019 14:03, Banks, David (db2d) via samba wrote:> So, after reading many samba setup pages I was under the impression that “properly” configuring idmap for an AD domain should look something like thisDid you read these: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member https://wiki.samba.org/index.php/Idmap_config_ad> > security = ADS > > idmap config * : backend = tdb > idmap config * : range = 10000-50000 > > # DOMAIN > realm = DOMAIN.COM<http://DOMAIN.COM> > workgroup = DOMAIN > idmap config DOMAIN:backend = ad > idmap config DOMAIN:range = 100000-500000 > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:unix_nss_info = yes > idmap config DOMAIN:default = yes > > However, I’ve been wrestling with this for weeks now without success. With these config lines users are not able to log in and wbinfo -i user yields the error > > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > > If I comment out the domain lines and expand the default range to accommodate the domain range — idmap config * : range 100000-500000 — wbinfo works and users can log in. >Until I read the last part of the above, I couldn't understand your problem, everything looked okay apart for the last line 'default = yes' which doesn't exist. You also have 'unix password sync = yes', you cannot have local Unix users with the same name in AD, you make AD users into Unix users. I think you may have fallen into the common mistake of thinking that just setting up winbind ad in smb.conf is sufficient, it isn't. You have to give each user a uidNumber attribute containing a unique number in the '100000-500000' range. You will also have to give 'Domain Users' a gidNumber attribute containg a number inside the same range. Rowland