[Samba] [samba] idmap question
Rowland Penny
rpenny at samba.org
Thu Aug 10 10:51:59 UTC 2017
On Thu, 10 Aug 2017 12:19:36 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Mathias,
>
> Type: wbinfo --all-domains
>
> You should see 3 domainnames.
>
> BUILTIN => idmap config *
> HOSTNAME => ? Dont know where this one maps to.
> NTDOM => idmap config NTDOM
On a Unix domain member, I get 4
BUILTIN
HOSTNAME
NTDOM
EXAMPLE
I have no idea where 'EXAMPLE' comes from, I have never set up any
smb.conf that contains 'workgroup = EXAMPLE' on the Unix domain member.
>
> I use for example ( for debian ) the following.
> I use this as followed.
>
> ## map id's outside to NT domain to tdb files.
> idmap config *: backend = tdb
> idmap config *: range = 2000-2999
>
> ## map ids from the domain and (*) the range may not overlap !
> idmap config NTDOM : backend = ad
> idmap config NTDOM : schema_mode = rfc2307
> idmap config NTDOM : range = 10000-3999999
>
> And i think, but i never use that you can match the hostname also.
> Like,
> idmap config HOSTNAME : backend = tdb
> idmap config HOSTNAME : range = 3000-9999
> ! But I cant confirm about the "HOSTNAME" part if thats 100% correct.
It probably would work, but I have never tried it.
>
> Id 0-1999 (local linux users) 0-999 for system users (*this can
> differ on an other os. ) 2000-2999 BUILDIN\...... ( example
> is BUILDIN\administrators) 3000-9999 HOSTNAME\ ?
> 10000-99999 NTDOM\users i start here at 10.000 because samba
> backend AD starts also at 10.000.
>
> Now "NTDOM\Domain Admins" is member of : BUILDIN\administrators
> And "NTDOM\Domain users" is member of : BUILDIN\users
>
> SePrivileges should be set on : BUILDIN\administrators, and not as
> most examples show "domain admins" And because of this you should
> always set : winbind expand groups = 2 But I preffer winbind expand
> groups = 4 Backtrace for example very thing backup related and see
> which groups are used and with SePrivileges you should set.
Never tried this, but you are quite correct, you should NEVER give
'Domain Admins' a gidNumber. I do it another way, I create a group
'Unix Admins', give this group a gidNumber and add this to 'Domain
Admins'
Rowland
More information about the samba
mailing list