[Samba] New AD user not appearing in getent
Rowland Penny
rpenny at samba.org
Fri Mar 8 14:25:18 UTC 2024
On Fri, 8 Mar 2024 15:01:08 +0100
Luciano Mannucci via samba <samba at lists.samba.org> wrote:
> On Fri, 8 Mar 2024 12:56:28 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> > If it doesn't, then it might have something to do with this line
> > from your smb4.conf:
> >
> > idmap config MCS2003 : range = 800-8004
> Yes!
> That was it!
> As a workaround I've changed range setting it to 800-9999 and it
> works!
>
> I'll review the smb.conf after upgrading to samba 4.19 from my
> distro (freebsd 13.2).
There is a large Enterprise Linux distro (which shall remain
nameless) that appears to recommend setting the default domain range
above the main DOMAIN range, this to myself is stupid, why ? I hear you
ask.
The default domain is really only meant for the Well Known SIDs (there
are less than 200 of those) and anything outside the main DOMAIN, so 0
really.
If you are using Samba as a Unix domain member, then virtually all AD
users and groups will be mapped as Unix users and groups, so you only
need a few local Unix users just in case something goes wrong and you
need to logon as a local user. The local users IDs all start at
1000.
Microsoft used to start their Unix IDs at 10000, so you can fit the
default range in between the 'local Unix users' and the 'mapped from AD
Unix users'. If you wanted to be absolutely sure that no local Unix
user ID collides with a mapped Unix user, then you could start the
main DOMAIN low range at 70000
Rowland
More information about the samba
mailing list