thr3ads.net - samba - [Samba] Problem with AD & idmap [Mar 2022]

If this information is useful, please help other people find it:
Share via:

Lars Schimmer

2022-Mar-02 12:31 UTC

[Samba] Problem with AD & idmap

Hi

After cleaning up a domain (remove old Computer and users from the AD),
removing smbV1 from the Win2016 servers and getting a new krbtgtkey
(with the ms provided PS script), our samb AD bind is somewhat broken.

In short:
Using Win 2016 server (2 AD server) for one domain, Debian bullseye as
clients (samba version 4.13.13+dfsg-1~deb11u3) and a smb conf like:

  idmap config * : backend = tdb
  idmap config * : range = 99000000-99999999
  #idmap config for the XYZ domain
  idmap config XYZ:backend = ad
  #idmap config XYZ:schema_mode = template
  idmap config XYZ:schema_mode = rfc2307
  idmap config XYZ:range = 100-98999999
  idmap config XYZ:unix_primary_group = yes
  idmap config XYZ:unix_nss_info = yes

It worked until we did cleanup the domain.
Now we miss the users.
With wbinfo -u /-g we do see all users and groups.
With getent group it shows the groups with a gid added, including Domain
Users.
With getent passwd it shows the local users and ONLY the members of the
Administerator group, no other user.

(removing the  idmap config XYZ:range = 100-98999999 shows more users,
but not all)

All users should be in the uidnumber 1000-9999 range (not all Domain
users do have the uidnumber, but the tested ones do have, as they do
show up in wbinfo -u).

wbinfo -u does show user schimmer.

While trying to resolv the user, we get errors:
wbinfo -i schimmer
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user schimmer

wbinfo -n schimmer

S-1-5-21-606634686-2143625475-3072335171-1502 SID_USER (1)

wbinfo -S S-1-5-21-606634686-2143625475-3072335171-1502
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-606634686-2143625475-3072335171-1502 to uid

Logfile tells me:
idmap_ad_sids_to_unixids: No xid in CN=Lars Schimmer,DC=cgv,DC=tugraz,DC=at


So, whats the xid here, which is missing?

And why does it show the members of the administrator group and not all
users, which are all (even the adminsitrators) in the Domain Users group?

Anyone have a tip on howto go on to fix this?

Thank you.

MfG,
Lars Schimmer
-- 
-------------------------------------------------------------
TU Graz, Institut f?r ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723

Rowland Penny

2022-Mar-02 13:11 UTC

head link

[Samba] Problem with AD & idmap

On Wed, 2022-03-02 at 13:31 +0100, Lars Schimmer via samba
wrote:> Hi
> 
> After cleaning up a domain (remove old Computer and users from the
> AD),
> removing smbV1 from the Win2016 servers and getting a new krbtgtkey
> (with the ms provided PS script), our samb AD bind is somewhat
> broken.
Have you tried leaving the domain and then re-joining ?
> 
>   idmap config * : backend = tdb
>   idmap config * : range = 99000000-99999999
>   #idmap config for the XYZ domain
>   idmap config XYZ:backend = ad
>   #idmap config XYZ:schema_mode = template
>   idmap config XYZ:schema_mode = rfc2307
>   idmap config XYZ:range = 100-98999999
> 
If the uidNumbers in AD start at '1000', then the low range for
'XYZ'
should start at '1000'
> It worked until we did cleanup the domain.
> Now we miss the users.
> With wbinfo -u /-g we do see all users and groups.
wbinfo just shows that the users exist in AD, it doesn't mean that
winbind will find them and pas this info to the OS.
> With getent group it shows the groups with a gid added, including
> Domain
> Users.
> With getent passwd it shows the local users and ONLY the members of
> the
> Administerator group, no other user.
> 
> (removing the  idmap config XYZ:range = 100-98999999 shows more
> users,
> but not all)
Don't do that, it puts everything into the default domain and they do
not belong there.
> 
> All users should be in the uidnumber 1000-9999 range (not all Domain
> users do have the uidnumber, but the tested ones do have, as they do
> show up in wbinfo -u).
Any users that do not have a uidNumber will be ignored.
> 
> wbinfo -u does show user schimmer.
> 
> While trying to resolv the user, we get errors:
> wbinfo -i schimmer
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user schimmer
> 
> wbinfo -n schimmer
> 
> S-1-5-21-606634686-2143625475-3072335171-1502 SID_USER (1)
> 
> wbinfo -S S-1-5-21-606634686-2143625475-3072335171-1502
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-606634686-2143625475-3072335171-1502
> to uid
> 
> Logfile tells me:
> idmap_ad_sids_to_unixids: No xid in CN=Lars
> Schimmer,DC=cgv,DC=tugraz,DC=at
> 
> 
> So, whats the xid here, which is missing?
> 
> And why does it show the members of the administrator group and not
> all
> users, which are all (even the adminsitrators) in the Domain Users
> group?
> 
> Anyone have a tip on howto go on to fix this?
Try re-joining and if this fails, please post your entire smb.conf.

Rowland

samba - Mar 2022 - Problem with AD & idmap

[Samba] Problem with AD & idmap

[Samba] Problem with AD & idmap