Web lists-archives.com

[Samba] idmap config DOMAIN Not Wroking




So, after reading many samba setup pages I was under the impression that “properly” configuring idmap for an AD domain should look something like this

        security = ADS

        idmap config * : backend = tdb
        idmap config * : range = 10000-50000

        #   DOMAIN
        realm = DOMAIN.COM<http://DOMAIN.COM>
        workgroup = DOMAIN
        idmap config DOMAIN:backend = ad
        idmap config DOMAIN:range = 100000-500000
        idmap config DOMAIN:schema_mode = rfc2307
        idmap config DOMAIN:unix_nss_info = yes
        idmap config DOMAIN:default = yes

However, I’ve been wrestling with this for weeks now without success. With these config lines users are not able to log in and wbinfo -i user yields the error

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

If I comment out the domain lines and expand the default range to accommodate the domain range — idmap config * : range 100000-500000 — wbinfo works and users can log in.

My problem: The volumes that make up the shares will be shared from more than one server. With only the default map configured I seem to get server specific mapping. That is when I mount the same volume on another server the filesystem permissions are hosed.

Below is the full smb.conf file. I assume I’m doing something wrong but can’t for the life of me figure out what that is. Has anyone confronted this before?

OS: Ubuntu 18.04
Samba: 4.9.8
Winbind installed

smb.conf (names changed to protect the guilty!)
[global]
# Server
bind interfaces only = yes
server min protocol = SMB2
server string = %h server (Samba, Ubuntu)
allow trusted domains = yes

wins support = no
dns proxy = no

# Authentication
server role = member server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = no

# Domains
#   Default
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
security = ADS

idmap config * : backend = tdb
idmap config * : range = 100000-500000

# winbind enum users = yes
# winbind enum groups = yes
winbind nested groups = true
winbind use default domain = yes
winbind refresh tickets = yes
# winbind trusted domains only = yes
winbind nss info = rfc2307

#   DOMAIN
realm = DOMAIN.COM<http://DOMAIN.COM>
workgroup = DOMAIN
# idmap config DOMAIN:backend = ad
# idmap config DOMAIN:range = 100000-500000
# idmap config DOMAIN:schema_mode = rfc2307
# idmap config DOMAIN:unix_nss_info = yes
# idmap config DOMAIN:default = yes

# Client
template homedir = /home/%U
template shell = /bin/bash
client signing = yes
client use spnego = yes
client ntlmv2 auth = yes
client ipc min protocol = SMB2
encrypt passwords = true
restrict anonymous = 2
keepalive = 60
deadtime = 10

disable netbios = yes
smb ports = 445
unix extensions = no


# Logging
log level = 10
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d

# Includes
#   IP Based Include
include = /etc/samba/smb.conf.%i


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba