Robbie Cook
2022-May-04 21:22 UTC
[Samba] Read RFC2307 attributes from trusted ActiveDirectory domain
Dear all,
I am having problems reading RFC2307 attributes from a trusted domain.
My setup looks like this.
The client machine where I?mtesting from resides in Domain A.
Domain A contains several users all set with uidnumber & gidnumber
Domain A trusts Domain B
Domain B contains users set with uidnumber & gidnumber
So far I have successfully managed to map the user accounts from Domain A
and they show up with the correct uid/gid values set within ActiveDirectory
whenever I run a getent passwd. However, for the life of me I cannot get
users from Domain B to return the correct uid/gid. They do not show using
getent passwd so I?m using ?id first.name at domainb.local? to test.
The closest I have managed to get is to use the rfc2307 backend with the
ldap server set to stand-alone. Using this backend I see the correct UID
within the /var/log/samba/log.winbindd-idmap logfile however, the
primary_gid is always a null value and it looks like it tries to use
?domain users? group to calculate the gid even though the users I?m testing
with have been set with a different primary group ID in active directory.
This results in this line being present in the same logfile
_wbint_Sids2UnixIDs: id 0 is out of range 50001-1410065407 for domain
domain and no user being found when running ?id
firstname.lastname at domainb.local?
Here's my current smb.conf file with sensitive information removed.
[global]
log level = 10
log file = /var/log/samba/idmap.log
idmap config * : backend = tdb
idmap config * : range = 1000-4999
idmap config domainA : backend = ad
idmap config domainA : range = 5000-8000
idmap config domainA : unix_primary_group = yes
idmap config domainb : backend = rfc2307
idmap config domainb: range = 50001-9999999999
idmap config domainb: ldap_server = stand-alone
idmap config domainb : ldap_url = ldap://10.x.x.x/
idmap config prd : ldap_user_dn
CN=idmap,OU=STANDARD_ACCOUNTS,DC=domainb,DC=local
idmap config prd : bind_path_user = OU=STANDARD_ACCOUNTS,DC=domainb,DC=local
idmap config prd : bind_path_group
OU=UNIVERSAL_SECURITY_GROUPS,DC=domainb,DC=local
winbind refresh tickets = yes
kerberos method = secrets and keytab
winbind enum groups = no
winbind enum users = yes
workgroup = domaina
security = ads
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
template homedir = /home/%U
template shell = /bin/bash
realm = DOMAINA.LOCAL
winbind use default domain = yes
winbind offline logon = yes
What I find most interesting is that I can read all of the correct
information when running the ldapsearch command for the same user so I?m
hopeful something is wrong in my config file.
Any hints/guidance would be much appreciated!
Many thanks
Robbie Cook
Rowland Penny
2022-May-06 10:18 UTC
[Samba] Read RFC2307 attributes from trusted ActiveDirectory domain
On Wed, 2022-05-04 at 22:22 +0100, Robbie Cook via samba wrote:> Dear all, > > > > I am having problems reading RFC2307 attributes from a trusted > domain. > > > > My setup looks like this. > > > > The client machine where I?mtesting from resides in Domain A. > > Domain A contains several users all set with uidnumber & gidnumber > > Domain A trusts Domain B > > Domain B contains users set with uidnumber & gidnumber > > > > So far I have successfully managed to map the user accounts from > Domain A > and they show up with the correct uid/gid values set within > ActiveDirectory > whenever I run a getent passwd. However, for the life of me I cannot > get > users from Domain B to return the correct uid/gid. They do not show > using > getent passwd so I?m using ?id first.name at domainb.local? to test. > > > > The closest I have managed to get is to use the rfc2307 backend with > the > ldap server set to stand-alone. Using this backend I see the correct > UID > within the /var/log/samba/log.winbindd-idmap logfile however, the > primary_gid is always a null value and it looks like it tries to use > ?domain users? group to calculate the gid even though the users I?m > testing > with have been set with a different primary group ID in active > directory. > This results in this line being present in the same logfile > _wbint_Sids2UnixIDs: id 0 is out of range 50001-1410065407 for domain > domain and no user being found when running ?id > firstname.lastname at domainb.local? > > > > Here's my current smb.conf file with sensitive information removed. > > > > > > [global] > > log level = 10 > > log file = /var/log/samba/idmap.log > > > > idmap config * : backend = tdb > > idmap config * : range = 1000-4999 > > > > > > idmap config domainA : backend = ad > > idmap config domainA : range = 5000-8000 > > idmap config domainA : unix_primary_group = yes > > > > > > idmap config domainb : backend = rfc2307 > > idmap config domainb: range = 50001-9999999999 > > idmap config domainb: ldap_server = stand-alone > > idmap config domainb : ldap_url = ldap://10.x.x.x/ > > idmap config prd : ldap_user_dn > CN=idmap,OU=STANDARD_ACCOUNTS,DC=domainb,DC=local > > idmap config prd : bind_path_user > OU=STANDARD_ACCOUNTS,DC=domainb,DC=local > > idmap config prd : bind_path_group > OU=UNIVERSAL_SECURITY_GROUPS,DC=domainb,DC=local > > > > > > winbind refresh tickets = yes > > kerberos method = secrets and keytab > > winbind enum groups = no > > winbind enum users = yes > > workgroup = domaina > > security = ads > > > > passdb backend = tdbsam > > > > printing = cups > > printcap name = cups > > load printers = yes > > cups options = raw > > template homedir = /home/%U > > template shell = /bin/bash > > realm = DOMAINA.LOCAL > > winbind use default domain = yes > > winbind offline logon = yesYou refer to two domains, 'A' and 'B', yet your smb.conf has three 'A', 'B' and 'PRD'. You also have 'winbind use default domain = yes' , this is not allowed in a multiple domain setup. I take that you have tried the idmap 'ad' backend for 'B' and it didn't work, this leads to a question: Do your users & groups in both domains have uidNumber & gidNumber attributes and are the ones in domain 'A' inside the '5000-8000' range and the ones in domain 'B' inside the '50001-9999999999' range ? Rowland