Re: [Samba] idmap config DOMAIN Not Wroking
- Date: Thu, 30 May 2019 20:23:47 +0100
- From: Rowland penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] idmap config DOMAIN Not Wroking
On 30/05/2019 14:03, Banks, David (db2d) via samba wrote:
So, after reading many samba setup pages I was under the impression that “properly” configuring idmap for an AD domain should look something like this
Did you read these:
Until I read the last part of the above, I couldn't understand your
problem, everything looked okay apart for the last line 'default = yes'
which doesn't exist. You also have 'unix password sync = yes', you
cannot have local Unix users with the same name in AD, you make AD users
into Unix users.
security = ADS
idmap config * : backend = tdb
idmap config * : range = 10000-50000
realm = DOMAIN.COM<http://DOMAIN.COM>
workgroup = DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 100000-500000
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:unix_nss_info = yes
idmap config DOMAIN:default = yes
However, I’ve been wrestling with this for weeks now without success. With these config lines users are not able to log in and wbinfo -i user yields the error
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
If I comment out the domain lines and expand the default range to accommodate the domain range — idmap config * : range 100000-500000 — wbinfo works and users can log in.
I think you may have fallen into the common mistake of thinking that
just setting up winbind ad in smb.conf is sufficient, it isn't. You have
to give each user a uidNumber attribute containing a unique number in
the '100000-500000' range. You will also have to give 'Domain Users' a
gidNumber attribute containg a number inside the same range.
To unsubscribe from this list go to the following URL and read the