Web lists-archives.com

Re: [Samba] mapping sid to uid in member server




On Thu, 22 Mar 2018 08:37:16 +0100
Jose Luis Suarez via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello
> I am deploying a samba network with a AD DC and a member server for
> file sharing.
> Samba version 4.5 on Debian 8.
> In AD DC everything goes fine.
> In member server, smb.conf:
>         netbios name = ADFS1
>         realm = CGSIBAD.SC
>         workgroup = CGSIBAD
>         client signing = yes
>         client use spnego = yes
>         kerberos method = secrets and keytab
>         server role = member server
>         idmap config * : backend = tdb
>         idmap config CGSIBAD : backend = ad
>         winbind nss info = rfc2307
>         idmap_ldb:use rfc2307 = yes
>         security = ads
>         require strong key = yes
>         client schannel = yes
>         winbind expand groups = 1
>         winbind enum groups = yes
>         winbind enum users = yes
> 
> In the member server when I run wbinfo -n username I get de SID
> correctly, but when
> wbinfo -S S-1-5-21-2356952658-3999694786-159306407-1287
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-2356952658-3999694786-159306407-1287
> to uid
> 
> If I modify smb.conf including ranges:
>         netbios name = ADFS1
>         realm = CGSIBAD.SC
>         workgroup = CGSIBAD
>         client signing = yes
>         client use spnego = yes
>         kerberos method = secrets and keytab
>         server role = member server
>         idmap config * : backend = tdb
>         idmap config * : range = 11000-11999
>         idmap config CGSIBAD : backend = ad
>         idmap config CGSIBAD : range = 10000-10999
>         winbind nss info = rfc2307
>         idmap_ldb:use rfc2307 = yes
>         security = ads
>         require strong key = yes
>         client schannel = yes
>         winbind expand groups = 4
>         winbind enum groups = yes
>         winbind enum users = yes
> 
> then mapping works correctly; so obviously I have some
> misunderstanding that I need to clarify: I thought that by using ad
> backend, all sid/uid/gid queries were retrieved from AD DC domain
> server, so that it was no necessary specify any uid range.
> 
> After a lot of digging I could not find any documentation regarding
> this point, so would you be so kind of addressing me to some source of
> information about this point?
> 
> Regards
> 
> Jose Luis
> 

I think you need a bigger spade ;-)

Did you miss this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba