[PATCH] Check idmap config with testparm
Rowland Penny
repenny241155 at gmail.com
Thu Dec 8 09:01:03 UTC 2016
On Thu, 8 Dec 2016 09:48:25 +0100
Volker Lendecke <vl at samba.org> wrote:
> On Thu, Dec 08, 2016 at 07:58:40AM +0000, Rowland Penny wrote:
> > Hi Volker, Could you explain for the idiots amongst us (i.e. me),
> > just how this is supposed to work ?
>
> The AD backend just reads the SFU attributes in Active Directory.
> This is completely controlled by the administrator of the domains. I
> have several customers with a global unix id allocation policy but
> where the unix ids are spread across multiple domains in a more or
> less random fashion. Globally unix ids are guaranteed to be unique,
> but you can't tell from a range assignment which domain they belong
> to. What winbind with overlapping ranges now does is just try all of
> the domains until a mapping is found. There is no guarantee of a
> particular order in which domains are tried, we depend on the AD
> administration to gurantee uniqueness. This is for unixid2sid,
> sid2unixid is simple, there we can just find the domain from the sid.
>
> Volker
Hmm, it sounds like you can have the same uidNumber in different
domains, is this correct ? and if so, can we get the
msSFU30Max*idNumber attributes working with samba-tool now ??
Rowland
More information about the samba-technical
mailing list