Web lists-archives.com

Re: [Samba] idmap config DOMAIN Not Wroking




On 30/05/2019 14:03, Banks, David (db2d) via samba wrote:
So, after reading many samba setup pages I was under the impression that “properly” configuring idmap for an AD domain should look something like this

Did you read these:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

https://wiki.samba.org/index.php/Idmap_config_ad


         security = ADS

         idmap config * : backend = tdb
         idmap config * : range = 10000-50000

         #   DOMAIN
         realm = DOMAIN.COM<http://DOMAIN.COM>
         workgroup = DOMAIN
         idmap config DOMAIN:backend = ad
         idmap config DOMAIN:range = 100000-500000
         idmap config DOMAIN:schema_mode = rfc2307
         idmap config DOMAIN:unix_nss_info = yes
         idmap config DOMAIN:default = yes

However, I’ve been wrestling with this for weeks now without success. With these config lines users are not able to log in and wbinfo -i user yields the error

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

If I comment out the domain lines and expand the default range to accommodate the domain range — idmap config * : range 100000-500000 — wbinfo works and users can log in.

Until I read the last part of the above, I couldn't understand your problem, everything looked okay apart for the last line 'default = yes' which doesn't exist. You also have 'unix password sync = yes', you cannot have local Unix users with the same name in AD, you make AD users into Unix users.

I think you may have fallen into the common mistake of thinking that just setting up winbind ad in smb.conf is sufficient, it isn't. You have to give each user a uidNumber attribute containing a unique number in the '100000-500000' range. You will also have to give 'Domain Users' a gidNumber attribute containg a number inside the same range.

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba