Public bug reported: We configure clients to use samba winbind for integrating into Active Directory. The IDs of our AD-users and AD-groups start above 10.000 - so we set the filter to idmap config COMPANY : range = 10000-165000 Unfortunately, all AD-users get the AD-membership of group 1001 which is an Active Directory BUILTIN-group:
getent -s winbind group 1001 BUILTIN\users:x:1001: But since there exists a local user with id 1001 and also its group id 1001, all AD users within AD group 1001 (BUILTIN\users) are in the local group 1001 what is not wanted. I changed the order in /etc/nsswitch.conf from passwd: files winbind systemd group: files winbind systemd to passwd: winbind systemd files group: winbind systemd files and it is working as expected! The question is, if it is right to change this behavior in nsswitch.conf like I did, or if the idmap config range should filter these lower ids around 1000? smb.conf: [global] workgroup = COMPANY realm = COMPANY.DE security = ads kerberos method = secrets and keytab server role = member server local master = no domain master = no disable netbios = yes log level = 3 idmap config * : backend = tdb idmap config * : range = 1000-5000 idmap config COMPANY : backend = ad idmap config COMPANY : range = 10000-165000 idmap config COMPANY : schema_mode = rfc2307 idmap config COMPANY : unix_nss_info = no idmap config COMPANY : unix_primary_group = yes template homedir = /home/%U template shell = /bin/bash winbind use default domain = yes winbind refresh tickets = yes winbind offline logon = yes winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes inherit permissions = Yes inherit acls = Yes acl group control = yes nt acl support = yes server string = %h server (Samba, Ubuntu) log file = /var/log/samba/log.%m max log size = 1000 logging = file panic action = /usr/share/samba/panic-action %d obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes ** Affects: samba4 (Ubuntu) Importance: Undecided Status: New ** Tags: nsswitch samba smb winbind ** Summary changed: - idmap config range filter is not working anymore + idmap config range filter is not working ** Summary changed: - idmap config range filter is not working + idmap config range filter is not working for group ids -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to samba4 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1988850 Title: idmap config range filter is not working for group ids To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/1988850/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp