[Samba] [samba] idmap question

Rowland Penny rpenny at samba.org
Thu Aug 10 10:51:59 UTC 2017 

On Thu, 10 Aug 2017 12:19:36 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai Mathias, 
> 
> Type:  wbinfo --all-domains 
> 
> You should see 3 domainnames. 
> 
> BUILTIN	=> idmap config *
> HOSTNAME	=> ? Dont know where this one maps to. 
> NTDOM		=> idmap config NTDOM

On a Unix domain member, I get 4

BUILTIN
HOSTNAME
NTDOM
EXAMPLE

I have no idea where 'EXAMPLE' comes from, I have never set up any
smb.conf that contains 'workgroup = EXAMPLE' on the Unix domain member.

> 
> I use for example ( for debian ) the following.
> I use this as followed. 
>  
>     ## map id's outside to NT domain to tdb files.
>     idmap config *: backend = tdb
>     idmap config *: range = 2000-2999
> 
>     ## map ids from the domain and (*) the range may not overlap !
>     idmap config NTDOM : backend = ad
>     idmap config NTDOM : schema_mode = rfc2307
>     idmap config NTDOM : range = 10000-3999999
> 
> And i think, but i never use that you can match the hostname also. 
> Like,     
> 	idmap config HOSTNAME : backend = tdb
>       idmap config HOSTNAME : range = 3000-9999
> ! But I cant confirm about the "HOSTNAME" part if thats 100% correct. 

It probably would work, but I have never tried it.

> 
> Id 0-1999   (local linux users) 0-999 for system users (*this can
> differ on an other os. ) 2000-2999	BUILDIN\......   ( example
> is BUILDIN\administrators) 3000-9999	HOSTNAME\ ? 
> 10000-99999	NTDOM\users  i start here at 10.000 because samba
> backend AD starts also at 10.000.
> 
> Now "NTDOM\Domain Admins" is member of : BUILDIN\administrators
> And "NTDOM\Domain users" is member of : BUILDIN\users
> 
> SePrivileges should be set on : BUILDIN\administrators, and not as
> most examples show "domain admins" And because of this you should
> always set : winbind expand groups = 2 But I preffer winbind expand
> groups = 4 Backtrace for example very thing backup related and see
> which groups are used and with SePrivileges you should set.

Never tried this, but you are quite correct, you should NEVER give
'Domain Admins' a gidNumber. I do it another way, I create a group
'Unix Admins', give this group a gidNumber and add this to 'Domain
Admins'

Rowland

More information about the samba mailing list