Web lists-archives.com

[Samba] idmap backend ad well-known-sids 512 & 513




Hi,

we are in the process of testing a migration from our NT Classic Domain with OpenLdap to Samba AD.

In our test setup migration of all accounts, groups and computer accounts went well using the classicupgrade path. Next step now is testing how to add a member server for file server services.

We were able to get the server to join the domain and also idmapping works mostly as expected.

If we use getent group everything works as expected and we get the correct group with the correct GID:

root@fileserv2:~# getent group SOMEDOM\\stas
SOMEDOM\stas:x:10165:

We can use getent passwd and wbinfo -i fine for all our ldap created users and get the correct UID/GID if we are using the config:
idmap config SOMEDOM:unix_primary_group = yes

root@fileserv2:~# getent passwd SOMEDOM\\test.zweimal
SOMEDOM\test.zweimal:*:10409:10000::/home/test.zweimal:/bin/false
root@fileserv2:~# wbinfo -i SOMEDOM\\test.zweimal
SOMEDOM\test.zweimal:*:10409:10000::/home/test.zweimal:/bin/false

10000 is the default GID we were using in ldap for all of our users.

If we remove this line we won't get any output as the primary group then will be 513 which is the default windows sid for "Domain Users" and as the mapping only starts at 10000 there is no mapping to find for winbind.

So far so good and we can live perfectly having the line above in our config to make this work. But we still cannot get the info for "Domain Users" & "Domain Admins" as they still have the SID 513 & 512.

If we change the groups GID in AD using the ADUC tool to 10513 & 10512 we are able to get the info out of wbinfo & getent passwd but I guess this is not the way to do it properly?

root@fileserv2:~# getent group "SOMEDOM\\Domain Users"
SOMEDOM\domain users:x:10513:
root@fileserv2:~# getent group SOMEDOM\\Domain Admins"
SOMEDOM\domain admins:x:10512:

Can someone shed some light on this or maybe I just have some kind of misunderstanding of the concept. The RID backend will not be an option for us as we will have multiple domains we need to trust and as far as i understood this is not possible with RID.

The following smb.conf is used on the member server:

[global]
  netbios name = FILESERV2
  workgroup = SOMEDOM
  security = ADS
  realm = AD.SOMEDOM.COM

  idmap config *:backend = tdb
  idmap config *:range = 3000-7999
  idmap config SOMEDOM:backend = ad
  idmap config SOMEDOM:schema_mode = rfc2307
  idmap config SOMEDOM:range = 10000-999999
  idmap config SOMEDOM:unix_nss_info = yes
  idmap config SOMEDOM:unix_primary_group = yes

  winbind enum users = yes
  winbind enum groups = yes

  vfs objects = acl_xattr
  map acl inherit = yes
  store dos attributes = yes

Best,
Kai

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba