samba - Nov 2023 - Issues with AD trusts and UID/GID ranges

Hello All,
I'm having issues joining some Ubuntu servers to an Active Directory domain
with trusts. All my machines are running samba and winbind. I have a two
domains, we'll call them CORPORATE and CUSTOMER. CUSTOMER has a one way
trust with CORPORATE, such that any resources CUSTOMER can access, CORPORATE can
as well, but not vice-versa. On all of my CORPORATE machines, users are assigned
UIDs/GIDs in the range 10000-20000, and this has worked well so far. On CUSTOMER
machines, I'd like to make it so that CORPORATE users are in the range
10000-20000 (just like on my CORPORATE machines), and CUSTOMER users are in the
range 20001-30000. However, for some reason, with my current configs (attached),
after joining to the domain, all users end up in the 30001-40000 range assigned
to *?. I tried not defining a range for *?, but testparm? gave me errors and
samba wouldn't launch. I'm a complete amateur at this, so I would
appreciate any help you could offer. Thanks.

krb5.conf:
```
[libdefaults]
       dns_lookup_realm = false         
	ticket_lifetime = 24h        
	renew_lifetime = 7d         
	forwardable = true         
	rdns = false         
	default_realm = CUSTOMER.TLD
       default_ccache_name = KEYRING:persistent:%{uid} [realms]         
	CUSTOMER.TLD = {                 
		kdc = ad.customer.tld
               admin_server = ad.customer.tld
               default_domain = customer.tld
               pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
		pkinit_cert_match = <KU>digitalSignature                 
		pkinit_kdc_hostname = ad.customer.tld
       }
       CORPORATE.TLD = {                 
		kdc = ad.corporate.tld
               admin_server = ad.corporate.tld
               default_domain = corporate.tld
               pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
		pkinit_cert_match = <KU>digitalSignature                 
		pkinit_kdc_hostname = ad.corporate.tld
       }
[domain_realm]
       .customer.tld = CUSTOMER.TLD
       customer.tld = CUSTOMER.TLD
       .corporate.tld = CORPORATE.TLD
       corporate.tld = CORPORATE.TLD
```

smb.conf:
```
[global]
       workgroup = CUSTOMER
       usershare allow guests = NO         
	kerberos method = secrets and keytab         
	realm = CUSTOMER.TLD
       security = ADS         
	idmap config *:range = 30001-40000
       idmap config CUSTOMER:range = 20001-30000
       idmap config CORPORATE:range = 10000-20000
       template homedir = /home/%D/%U         
	template shell = /bin/bash         
	winbind use default domain=true         
	winbind offline logon = yes         
	winbind refresh tickets = yes
       winbind scan trusted domains = yes
```

On Thu, 2 Nov 2023 12:30:51 -0400
Anthony Halliday via samba <samba at lists.samba.org> wrote:
> Hello All,
> I'm having issues joining some Ubuntu servers to an Active Directory
> domain with trusts. All my machines are running samba and winbind. I
> have a two domains, we'll call them CORPORATE and CUSTOMER. CUSTOMER
> has a one way trust with CORPORATE, such that any resources CUSTOMER
> can access, CORPORATE can as well, but not vice-versa. On all of my
> CORPORATE machines, users are assigned UIDs/GIDs in the range
> 10000-20000, and this has worked well so far. On CUSTOMER machines,
> I'd like to make it so that CORPORATE users are in the range
> 10000-20000 (just like on my CORPORATE machines), and CUSTOMER users
> are in the range 20001-30000. However, for some reason, with my
> current configs (attached), after joining to the domain, all users
> end up in the 30001-40000 range assigned to *?. I tried not defining
> a range for *?, but testparm? gave me errors and samba wouldn't
> launch. I'm a complete amateur at this, so I would appreciate any
> help you could offer. Thanks.
> 
> krb5.conf:
> ```
> [libdefaults]
>        dns_lookup_realm = false         
> 	ticket_lifetime = 24h        
> 	renew_lifetime = 7d         
> 	forwardable = true         
> 	rdns = false         
> 	default_realm = CUSTOMER.TLD
>        default_ccache_name = KEYRING:persistent:%{uid} [realms]
> CUSTOMER.TLD = {                 
> 		kdc = ad.customer.tld
>                admin_server = ad.customer.tld
>                default_domain = customer.tld
>                pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
> pkinit_cert_match = <KU>digitalSignature                 
> 		pkinit_kdc_hostname = ad.customer.tld
>        }
>        CORPORATE.TLD = {                 
> 		kdc = ad.corporate.tld
>                admin_server = ad.corporate.tld
>                default_domain = corporate.tld
>                pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
> pkinit_cert_match = <KU>digitalSignature                 
> 		pkinit_kdc_hostname = ad.corporate.tld
>        }
> [domain_realm]
>        .customer.tld = CUSTOMER.TLD
>        customer.tld = CUSTOMER.TLD
>        .corporate.tld = CORPORATE.TLD
>        corporate.tld = CORPORATE.TLD
> ```
> 
> smb.conf:
> ```
> [global]
>        workgroup = CUSTOMER
>        usershare allow guests = NO         
> 	kerberos method = secrets and keytab         
> 	realm = CUSTOMER.TLD
>        security = ADS         
> 	idmap config *:range = 30001-40000
The default range '*' is meant for the Well Known Users (of which there
are less than 200) and anything outside the DOMAINS set in smb.conf
(basically 0), so why do you have a range that is about 10000 ?
>        idmap config CUSTOMER:range = 20001-30000
>        idmap config CORPORATE:range = 10000-20000
Where are your backend settings for the DOMAINS ?

As you appear to have uidNumber & gidNumber attributes (that is the way
it sounds), I would expect lines similar to these:

      idmap config CORPORATE: backend = ad
      idmap config CORPORATE:range = 10000-20000
      idmap config CORPORATE: backend = rid
      idmap config CUSTOMER:range = 20001-30000
>        template homedir = /home/%D/%U         
> 	template shell = /bin/bash         
> 	winbind use default domain=true
Sorry, but you cannot use 'winbind use default domain = true' with
multiple domains.
 
> 	winbind offline logon = yes         
> 	winbind refresh tickets = yes
>        winbind scan trusted domains = yes
> ```
Rowland

Hello,
Thank you for the previous reply. This has made me realize that I misunderstood
most of the settings that I set. To clarify, I currently do not have UIDs and
GIDs stored in Active Directory, and I currently don?t plan on setting that up.
My other computers are using tdb as the backend, and for uniformity across all
my machines I would like to use that on all of them. Could you possibly
elaborate a bit more on what the * range is for. I haven?t been able to find any
useful info in the docs/wiki. Also, other than restarting samba and winbind, is
there anything else I have to do to make the UID changes take effect? Thanks.