samba - Dec 2019 - id map range overlap

Hi all,

I'm using Samba (AD) under Debian Buster.

Testparm tells me the idmap of TDB and AD would overlap.
However the configured range don't.

Thanks in advance,

Michael



# testparm
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
ERROR: The idmap range for the domain * (tdb) overlaps with the range of KLEY
(ad)!

Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
	dns forwarder = 192.168.100.250
	passdb backend = samba_dsdb
	realm = KLEY.HIERWECK.DE
	server role = active directory domain controller
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind nss info = rfc2307
	workgroup = KLEY
	rpc_server:tcpip = no
	rpc_daemon:spoolssd = embedded
	rpc_server:spoolss = embedded
	rpc_server:winreg = embedded
	rpc_server:ntsvcs = embedded
	rpc_server:eventlog = embedded
	rpc_server:srvsvc = embedded
	rpc_server:svcctl = embedded
	rpc_server:default = external
	winbindd:use external pipes = true
	idmap config kley : range = 100-9999
	idmap config kley : schema_mode = rfc2307
	idmap config kley : unix_primary_group = yes
	idmap config kley : unix_nss_info = yes
	idmap config kley : backend = ad
	idmap config kley : default = yes
	idmap config * : range = 10000-999999999
	idmap_ldb:use rfc2307 = yes
	idmap config * : backend = tdb
	map acl inherit = Yes
	map archive = No
	vfs objects = acl_xattr


[netlogon]
	path = /var/lib/samba/sysvol/kley.hierweck.de/scripts
	read only = No


[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[...]

On 23/12/2019 09:46, Michael Hierweck via samba wrote:
> Hi all,
>
> I'm using Samba (AD) under Debian Buster.
>
> Testparm tells me the idmap of TDB and AD would overlap.
> However the configured range don't.
>
> Thanks in advance,
>
> Michael
>
>
>
> # testparm
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> ERROR: The idmap range for the domain * (tdb) overlaps with the range of
KLEY (ad)!
>
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> 	dns forwarder = 192.168.100.250
> 	passdb backend = samba_dsdb
> 	realm = KLEY.HIERWECK.DE
> 	server role = active directory domain controller
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind nss info = rfc2307
> 	workgroup = KLEY
> 	rpc_server:tcpip = no
> 	rpc_daemon:spoolssd = embedded
> 	rpc_server:spoolss = embedded
> 	rpc_server:winreg = embedded
> 	rpc_server:ntsvcs = embedded
> 	rpc_server:eventlog = embedded
> 	rpc_server:srvsvc = embedded
> 	rpc_server:svcctl = embedded
> 	rpc_server:default = external
> 	winbindd:use external pipes = true
> 	idmap config kley : range = 100-9999
> 	idmap config kley : schema_mode = rfc2307
> 	idmap config kley : unix_primary_group = yes
> 	idmap config kley : unix_nss_info = yes
> 	idmap config kley : backend = ad
> 	idmap config kley : default = yes
> 	idmap config * : range = 10000-999999999
> 	idmap_ldb:use rfc2307 = yes
> 	idmap config * : backend = tdb
> 	map acl inherit = Yes
> 	map archive = No
> 	vfs objects = acl_xattr
>
>
> [netlogon]
> 	path = /var/lib/samba/sysvol/kley.hierweck.de/scripts
> 	read only = No
>
>
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
>
> [...]
>
Hmm, you shouldn't use 'testparm' on a Samba AD DC, you should use 
'samba-tool testparm, but having said that, perhaps it should have 
printed a better error message, something like:

You have set up your Active Directory Domain controller smb.conf 
incorrectly ;-)

If the following lines are in your smb.conf, I would suggest you remove 
them:

 ??? passdb backend = samba_dsdb
 ??? winbind enum groups = Yes
 ??? winbind enum users = Yes
 ??? winbind nss info = rfc2307
 ??? rpc_server:tcpip = no
 ??? rpc_daemon:spoolssd = embedded
 ??? rpc_server:spoolss = embedded
 ??? rpc_server:winreg = embedded
 ??? rpc_server:ntsvcs = embedded
 ??? rpc_server:eventlog = embedded
 ??? rpc_server:srvsvc = embedded
 ??? rpc_server:svcctl = embedded
 ??? rpc_server:default = external
 ??? winbindd:use external pipes = true
 ??? idmap config kley : range = 100-9999
 ??? idmap config kley : schema_mode = rfc2307
 ??? idmap config kley : unix_primary_group = yes
 ??? idmap config kley : unix_nss_info = yes
 ??? idmap config kley : backend = ad
 ??? idmap config kley : default = yes
 ??? idmap config * : range = 10000-999999999
 ??? map acl inherit = Yes
 ??? map archive = No
 ??? vfs objects = acl_xattr

Rowland