Web lists-archives.com

[Samba] mapping sid to uid in member server




Hello
I am deploying a samba network with a AD DC and a member server for file
sharing.
Samba version 4.5 on Debian 8.
In AD DC everything goes fine.
In member server, smb.conf:
        netbios name = ADFS1
        realm = CGSIBAD.SC
        workgroup = CGSIBAD
        client signing = yes
        client use spnego = yes
        kerberos method = secrets and keytab
        server role = member server
        idmap config * : backend = tdb
        idmap config CGSIBAD : backend = ad
        winbind nss info = rfc2307
        idmap_ldb:use rfc2307 = yes
        security = ads
        require strong key = yes
        client schannel = yes
        winbind expand groups = 1
        winbind enum groups = yes
        winbind enum users = yes

In the member server when I run wbinfo -n username I get de SID
correctly, but when
wbinfo -S S-1-5-21-2356952658-3999694786-159306407-1287
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2356952658-3999694786-159306407-1287 to uid

If I modify smb.conf including ranges:
        netbios name = ADFS1
        realm = CGSIBAD.SC
        workgroup = CGSIBAD
        client signing = yes
        client use spnego = yes
        kerberos method = secrets and keytab
        server role = member server
        idmap config * : backend = tdb
        idmap config * : range = 11000-11999
        idmap config CGSIBAD : backend = ad
        idmap config CGSIBAD : range = 10000-10999
        winbind nss info = rfc2307
        idmap_ldb:use rfc2307 = yes
        security = ads
        require strong key = yes
        client schannel = yes
        winbind expand groups = 4
        winbind enum groups = yes
        winbind enum users = yes

then mapping works correctly; so obviously I have some misunderstanding
that I need to clarify: I thought that by using ad backend, all
sid/uid/gid queries were retrieved from AD DC domain server, so that it
was no necessary specify any uid range.

After a lot of digging I could not find any documentation regarding this
point, so would you be so kind of addressing me to some source of
information about this point?

Regards

Jose Luis

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba