Wednesday, February 13, 2008

Another configuration with idmap_rid without specifying base_rid

I only paste my smb.conf here which I think may be useful for others. This smb.conf works fine on RHEL4-U6 and RHEL5 which uses idmap_rid module for mapping AD users/groups sids to linux uids/gids. idmap_rid plugin generates uid/gid for AD users by adding a configurable base value to the rid of an AD user. Eg,

Suppose if I define idmap config range as "1500 - 10000" in my smb.conf and the rid of the AD user is 1546, then the uid of that user would be 1500 + 1546 which is 3046.

Sid for user "u1" would look like as below.

# wbinfo -n u1
S-1-5-21-2913803998-3319354983-1616611311-1106 User (1)

Here the rid of the u1 is 1106 and his uid = 1500 + 1106 which is 2606

In this configuration we assume that our AD domain is

workgroup = WORKGROUP
netbios name = netbiosname
realm = REALM
server string = RHEL4 Test Server
security = ads
password server =
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
idmap domains = EXAMPLE
idmap config EXAMPLE: default = yes
idmap config EXAMPLE: backend = rid
idmap config EXAMPLE: range = 1500-10000
winbind separator = +
winbind use default domain = yes
cups options = raw
winbind nss info = rfc2307 sfu template

comment = Home Directories
read only = No
browseable = No

comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

Configure /etc/krb5.conf appropriately, if using kerberos for authentication.

Join the system to Active Directory Domain.

# net ads join -U administrator

Run authconfig and chose winbind for name service and kerberos for authentication. Don't join the system to domain in this attempt since we have already joined it.

Restart winbind. Now every ad user should be able to log in to linux system.

No comments: