[Samba] AD/RID backends and group mappings on member
Rowland Penny
rpenny at samba.org
Wed Mar 23 16:26:52 UTC 2022
On Wed, 2022-03-23 at 17:01 +0100, L.P.H. van Belle via samba wrote:
> Hai,
>
> Im wondering, im testing a bit with backends AD and RID>
>
> This part of the smb.conf
>
> ## Map id's outside the ADDOM to tdb files.
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
>
> ## Backend AD
> ## map ids from the domain the range may not overlap !
> # idmap config ADDOM : backend = ad
> # idmap config ADDOM : schema_mode = rfc2307
> # idmap config ADDOM : range = 10000-3999999
> # idmap config ADDOM : unix_primary_group = yes
> # idmap config ADDOM : unix_nss_info = yes
>
> ## Backend RID
> ## map ids from the domain the range may not overlap !
> idmap config ADDOM : backend = rid
> idmap config ADDOM : range = 10000-3999999
> ## Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /home/%U
>
> Before restart and after I change the backend, i run : net cache
> flush
>
> If i run my server in a RID backend setup and i check my group
> mappings.
> net groupmap list
> Guests (S-1-5-32-546) -> BUILTIN\guests
> Administrators (S-1-5-32-544) -> BUILTIN\administrators
> Users (S-1-5-32-545) -> 2001
>
> And again but with the AD backend enabled.
> net groupmap list
> Guests (S-1-5-32-546) -> BUILTIN\guests
> Administrators (S-1-5-32-544) -> 2000
> Users (S-1-5-32-545) -> BUILTIN\users
>
>
> Can someone explain why i see 2 different things here,
> shouldn't these BUILTIN not be the same.
>
> What am i missing here.
I have no idea what you are missing :-)
Using the winbind 'ad' idmap backend on one Unix domain member:
sudo net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users
Using the winbind 'rid' idmap backend on another:
sudo net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users
I do not get numbers at all.
Some form of cache problem ?
Rowland
More information about the samba
mailing list