Hello All, I'm having issues joining some Ubuntu servers to an Active Directory domain with trusts. All my machines are running samba and winbind. I have a two domains, we'll call them CORPORATE and CUSTOMER. CUSTOMER has a one way trust with CORPORATE, such that any resources CUSTOMER can access, CORPORATE can as well, but not vice-versa. On all of my CORPORATE machines, users are assigned UIDs/GIDs in the range 10000-20000, and this has worked well so far. On CUSTOMER machines, I'd like to make it so that CORPORATE users are in the range 10000-20000 (just like on my CORPORATE machines), and CUSTOMER users are in the range 20001-30000. However, for some reason, with my current configs (attached), after joining to the domain, all users end up in the 30001-40000 range assigned to *?. I tried not defining a range for *?, but testparm? gave me errors and samba wouldn't launch. I'm a complete amateur at this, so I would appreciate any help you could offer. Thanks. krb5.conf: ``` [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = CUSTOMER.TLD default_ccache_name = KEYRING:persistent:%{uid} [realms] CUSTOMER.TLD = { kdc = ad.customer.tld admin_server = ad.customer.tld default_domain = customer.tld pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem pkinit_cert_match = <KU>digitalSignature pkinit_kdc_hostname = ad.customer.tld } CORPORATE.TLD = { kdc = ad.corporate.tld admin_server = ad.corporate.tld default_domain = corporate.tld pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem pkinit_cert_match = <KU>digitalSignature pkinit_kdc_hostname = ad.corporate.tld } [domain_realm] .customer.tld = CUSTOMER.TLD customer.tld = CUSTOMER.TLD .corporate.tld = CORPORATE.TLD corporate.tld = CORPORATE.TLD ``` smb.conf: ``` [global] workgroup = CUSTOMER usershare allow guests = NO kerberos method = secrets and keytab realm = CUSTOMER.TLD security = ADS idmap config *:range = 30001-40000 idmap config CUSTOMER:range = 20001-30000 idmap config CORPORATE:range = 10000-20000 template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain=true winbind offline logon = yes winbind refresh tickets = yes winbind scan trusted domains = yes ```
On Thu, 2 Nov 2023 12:30:51 -0400 Anthony Halliday via samba <samba at lists.samba.org> wrote:> Hello All, > I'm having issues joining some Ubuntu servers to an Active Directory > domain with trusts. All my machines are running samba and winbind. I > have a two domains, we'll call them CORPORATE and CUSTOMER. CUSTOMER > has a one way trust with CORPORATE, such that any resources CUSTOMER > can access, CORPORATE can as well, but not vice-versa. On all of my > CORPORATE machines, users are assigned UIDs/GIDs in the range > 10000-20000, and this has worked well so far. On CUSTOMER machines, > I'd like to make it so that CORPORATE users are in the range > 10000-20000 (just like on my CORPORATE machines), and CUSTOMER users > are in the range 20001-30000. However, for some reason, with my > current configs (attached), after joining to the domain, all users > end up in the 30001-40000 range assigned to *?. I tried not defining > a range for *?, but testparm? gave me errors and samba wouldn't > launch. I'm a complete amateur at this, so I would appreciate any > help you could offer. Thanks. > > krb5.conf: > ``` > [libdefaults] > dns_lookup_realm = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > default_realm = CUSTOMER.TLD > default_ccache_name = KEYRING:persistent:%{uid} [realms] > CUSTOMER.TLD = { > kdc = ad.customer.tld > admin_server = ad.customer.tld > default_domain = customer.tld > pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem > pkinit_cert_match = <KU>digitalSignature > pkinit_kdc_hostname = ad.customer.tld > } > CORPORATE.TLD = { > kdc = ad.corporate.tld > admin_server = ad.corporate.tld > default_domain = corporate.tld > pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem > pkinit_cert_match = <KU>digitalSignature > pkinit_kdc_hostname = ad.corporate.tld > } > [domain_realm] > .customer.tld = CUSTOMER.TLD > customer.tld = CUSTOMER.TLD > .corporate.tld = CORPORATE.TLD > corporate.tld = CORPORATE.TLD > ``` > > smb.conf: > ``` > [global] > workgroup = CUSTOMER > usershare allow guests = NO > kerberos method = secrets and keytab > realm = CUSTOMER.TLD > security = ADS > idmap config *:range = 30001-40000The default range '*' is meant for the Well Known Users (of which there are less than 200) and anything outside the DOMAINS set in smb.conf (basically 0), so why do you have a range that is about 10000 ?> idmap config CUSTOMER:range = 20001-30000 > idmap config CORPORATE:range = 10000-20000Where are your backend settings for the DOMAINS ? As you appear to have uidNumber & gidNumber attributes (that is the way it sounds), I would expect lines similar to these: idmap config CORPORATE: backend = ad idmap config CORPORATE:range = 10000-20000 idmap config CORPORATE: backend = rid idmap config CUSTOMER:range = 20001-30000> template homedir = /home/%D/%U > template shell = /bin/bash > winbind use default domain=trueSorry, but you cannot use 'winbind use default domain = true' with multiple domains.> winbind offline logon = yes > winbind refresh tickets = yes > winbind scan trusted domains = yes > ```Rowland
Hello, Thank you for the previous reply. This has made me realize that I misunderstood most of the settings that I set. To clarify, I currently do not have UIDs and GIDs stored in Active Directory, and I currently don?t plan on setting that up. My other computers are using tdb as the backend, and for uniformity across all my machines I would like to use that on all of them. Could you possibly elaborate a bit more on what the * range is for. I haven?t been able to find any useful info in the docs/wiki. Also, other than restarting samba and winbind, is there anything else I have to do to make the UID changes take effect? Thanks.
Maybe Matching Threads
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Smartcard logon issue with pam_winbind and Kerberos auth
- Use Samba with ACL for read Active Directory and set Permissions via it.