Rowland penny
2021-Mar-12 13:19 UTC
[Samba] List of users seems truncated or incomplete in file server member of an Active Directory Domain
On 12/03/2021 12:25, David PAUGAM via samba wrote:> > > Then, I unwillingly made a mistake in smb.conf and it worked!! The 2 > previous commands returned the good numbers! > > Surprisingly, the conf seemed to work when the idmap Domain name is > wrong...If it only works with the 'wrong' DOMAIN name then you have major problems.> > Here is the "working" smb.conf, which must be wrong. And this time, > the mistake is done intentionnally ;-) > > [global]// > ??????? workgroup=MYDOM > ??????? security=ads > ??????? realm=MYDOM.FR > ??????? winbind enum users=yes > ??????? winbind enum groups=yes > ??????? winbind use default domain=yes > ?? idmap config * : backend = tdb > ?? idmap config * : range = 3000-7999 > > #Here are the "bad" lines / bad domain, which actually solved the > "getent passwd" > > ? idmap config WRONGDOM : backend = rid > ? idmap config WRONGDOM : range = 10000-999999 > > Is there an explanation to this behaviour?Possibly, I feel sure that if you check, that you will find all your users are getting id's in the 3000-7999 range> > Is there a way to check the way rid works?I already showed you how the winbind 'rid' backend works, but I will go through it again, but in a bit more depth. You have two domains in your smb.conf, the default domain (*) and the 'MYDOM' domain. The default domain uses an allocating backend and is meant for the Well Known SIDs (e.g. Administrators, Domain Computers, etc) and anything outside the main domain (MYDOM). There are less than 200 Well Known SIDs Your main domain (MYDOM) uses the winbind 'rid' backend, this uses the users RID to calculate the users Unix id, the formula is this: ID = RID + LOW_RANGE_ID So, if the users RID is '1000', the calculation becomes this: ID = 1000 + 10000 ID = 11000 If the calculated id is greater than '999999' (the upper range set in smb.conf), the user will be ignored. The above also applies to groups. As I also said, if one user works and the other doesn't, then you need to compare the working users object in AD with the non working users AD object , if you are unsure about any differences, copy them into a file and send them to me. Rowland
David PAUGAM
2021-Mar-15 15:12 UTC
[Samba] List of users seems truncated or incomplete in file server member of an Active Directory Domain
Hello all, Rowland, thank you again for your help. It's now resolved. The cause was the difference between the ID range in Active Directory, which was high for the last accounts, and the range of the rid backend. Rid backend was set up to deliver RID numbers from 10 000 to 999 999 And in Active Directory, the RID range is up to 3 200 000 . I don't know why it's so high, as I'm not the AD Admin. So, I changed the smb.conf to ? idmap config MYDOM : backend = rid ? idmap config MYDOM : range = 10000-99999999 And all the accounts are now available! Is there any risk of that high numbers? Thanks again, I'm so happy it's solved :-) David Le 12/03/2021 ? 14:19, Rowland penny via samba a ?crit?:> On 12/03/2021 12:25, David PAUGAM via samba wrote: >> >> >> Then, I unwillingly made a mistake in smb.conf and it worked!! The 2 >> previous commands returned the good numbers! >> >> Surprisingly, the conf seemed to work when the idmap Domain name is >> wrong... > > > If it only works with the 'wrong' DOMAIN name then you have major > problems. > >> >> Here is the "working" smb.conf, which must be wrong. And this time, >> the mistake is done intentionnally ;-) >> >> [global]// >> ??????? workgroup=MYDOM >> ??????? security=ads >> ??????? realm=MYDOM.FR >> ??????? winbind enum users=yes >> ??????? winbind enum groups=yes >> ??????? winbind use default domain=yes >> ?? idmap config * : backend = tdb >> ?? idmap config * : range = 3000-7999 >> >> #Here are the "bad" lines / bad domain, which actually solved the >> "getent passwd" >> >> ? idmap config WRONGDOM : backend = rid >> ? idmap config WRONGDOM : range = 10000-999999 >> >> Is there an explanation to this behaviour? > > > Possibly, I feel sure that if you check, that you will find all your > users are getting id's in the 3000-7999 range > >> >> Is there a way to check the way rid works? > > > I already showed you how the winbind 'rid' backend works, but I will > go through it again, but in a bit more depth. > > You have two domains in your smb.conf, the default domain (*) and the > 'MYDOM' domain. > > The default domain uses an allocating backend and is meant for the > Well Known SIDs (e.g. Administrators, Domain Computers, etc) and > anything outside the main domain (MYDOM). There are less than 200 Well > Known SIDs > > Your main domain (MYDOM) uses the winbind 'rid' backend, this uses the > users RID to calculate the users Unix id, the formula is this: > > ID = RID + LOW_RANGE_ID > > So, if the users RID is '1000', the calculation becomes this: > > ID = 1000 + 10000 > > ID = 11000 > > If the calculated id is greater than '999999' (the upper range set in > smb.conf), the user will be ignored. > > The above also applies to groups. > > As I also said, if one user works and the other doesn't, then you need > to compare the working users object in AD with the non working users > AD object > , if you are unsure about any differences, copy them into a file and > send them to me. > > Rowland > > >