[Samba] idmap_ad overlap with domain and sub-domain overlap

Wvu Hpc wvu.hpc at gmail.com
Wed Apr 18 14:02:53 UTC 2018 

Hello,

We are in process of providing access to a AD connected master domain and
one its subdomains to one of our SAMBA 4.6.2 file-share servers.  The samba
server is a member of the MASTER domain.  The problem is we have cases
where the same person has an account in both the master domain and the sub
domain (long story and we know it is not a good practice but something I am
powerless to change).  The person (see example below for further clarity)
has the same unix attributes set in both the domain and sub-domain.  When
you run testparm it complains of having the range overlap but the config
seems to be working OK.  Is there any reason we should not go forward with
this config or should we push back and make the users in the subdomain have
the different uid and gid numbers from the master domain?  The benefit of
having the same uid and gid is we don't have to worry about changing file
ownership if a user moves between domains.

Example:

MASTER\user : uidNumber = 10000 : gidNumber = 10000
SUB\user : uidNumber = 10000 : gidNumber = 10000

SMB Config:

# Global parameters
[global]
        realm = MASTER.TEST.COM
        server string = Samba Server
        workgroup = MASTER
        log file = /var/log/samba/log.%I
        disable spoolss = Yes
        load printers = No
        printcap name = /dev/null
        client min protocol = SMB2_02
        server min protocol = SMB2_02
        unix extensions = No
        kerberos method = secrets and keytab
        security = ADS
        server signing = if_required
        template homedir = /home/%U
        template shell = /bin/bash
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        winbind separator = +
        winbind use default domain = Yes
        idmap config MASTER:schema_mode = rfc2307
        idmap config MASTER:range = 9000-5000000000
        idmap config MASTER:default = yes
        idmap config MASTER:backend = ad
        idmap config SUB:schema_mode = rfc2307
        idmap config SUB:range = 9000-5000000000
        idmap config SUB:backend = ad
        idmap config * : backend = tdb
        idmap config *:range = 3000-8999

Thanks in advance!

Nate

More information about the samba mailing list