So, after reading many samba setup pages I was under the impression that
“properly” configuring idmap for an AD domain should look something like this
security = ADS
idmap config * : backend = tdb
idmap config * : range = 10000-50000
# DOMAIN
realm = DOMAIN.COM<http://DOMAIN.COM>
workgroup = DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 100000-500000
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:unix_nss_info = yes
idmap config DOMAIN:default = yes
However, I’ve been wrestling with this for weeks now without success. With these
config lines users are not able to log in and wbinfo -i user yields the error
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
If I comment out the domain lines and expand the default range to accommodate
the domain range — idmap config * : range 100000-500000 — wbinfo works and users
can log in.
My problem: The volumes that make up the shares will be shared from more than
one server. With only the default map configured I seem to get server specific
mapping. That is when I mount the same volume on another server the filesystem
permissions are hosed.
Below is the full smb.conf file. I assume I’m doing something wrong but can’t
for the life of me figure out what that is. Has anyone confronted this before?
OS: Ubuntu 18.04
Samba: 4.9.8
Winbind installed
smb.conf (names changed to protect the guilty!)
[global]
# Server
bind interfaces only = yes
server min protocol = SMB2
server string = %h server (Samba, Ubuntu)
allow trusted domains = yes
wins support = no
dns proxy = no
# Authentication
server role = member server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = no
# Domains
# Default
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
security = ADS
idmap config * : backend = tdb
idmap config * : range = 100000-500000
# winbind enum users = yes
# winbind enum groups = yes
winbind nested groups = true
winbind use default domain = yes
winbind refresh tickets = yes
# winbind trusted domains only = yes
winbind nss info = rfc2307
# DOMAIN
realm = DOMAIN.COM<http://DOMAIN.COM>
workgroup = DOMAIN
# idmap config DOMAIN:backend = ad
# idmap config DOMAIN:range = 100000-500000
# idmap config DOMAIN:schema_mode = rfc2307
# idmap config DOMAIN:unix_nss_info = yes
# idmap config DOMAIN:default = yes
# Client
template homedir = /home/%U
template shell = /bin/bash
client signing = yes
client use spnego = yes
client ntlmv2 auth = yes
client ipc min protocol = SMB2
encrypt passwords = true
restrict anonymous = 2
keepalive = 60
deadtime = 10
disable netbios = yes
smb ports = 445
unix extensions = no
# Logging
log level = 10
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
# Includes
# IP Based Include
include = /etc/samba/smb.conf.%i
On 30/05/2019 14:03, Banks, David (db2d) via samba wrote:> So, after reading many samba setup pages I was under the impression that “properly” configuring idmap for an AD domain should look something like thisDid you read these: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member https://wiki.samba.org/index.php/Idmap_config_ad> > security = ADS > > idmap config * : backend = tdb > idmap config * : range = 10000-50000 > > # DOMAIN > realm = DOMAIN.COM<http://DOMAIN.COM> > workgroup = DOMAIN > idmap config DOMAIN:backend = ad > idmap config DOMAIN:range = 100000-500000 > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:unix_nss_info = yes > idmap config DOMAIN:default = yes > > However, I’ve been wrestling with this for weeks now without success. With these config lines users are not able to log in and wbinfo -i user yields the error > > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > > If I comment out the domain lines and expand the default range to accommodate the domain range — idmap config * : range 100000-500000 — wbinfo works and users can log in. >Until I read the last part of the above, I couldn't understand your problem, everything looked okay apart for the last line 'default = yes' which doesn't exist. You also have 'unix password sync = yes', you cannot have local Unix users with the same name in AD, you make AD users into Unix users. I think you may have fallen into the common mistake of thinking that just setting up winbind ad in smb.conf is sufficient, it isn't. You have to give each user a uidNumber attribute containing a unique number in the '100000-500000' range. You will also have to give 'Domain Users' a gidNumber attribute containg a number inside the same range. Rowland