[Samba] Upgrade 4.8 to 4.9 with Backend-Change to lmdb?

Rowland Penny rpenny at samba.org
Thu Sep 27 08:31:26 UTC 2018 

On Thu, 27 Sep 2018 09:34:26 +0200
"L.P.H. van Belle via samba-technical"
<samba-technical at lists.samba.org> wrote:

> Hi Dennis, 
> 
> > 
> > I've done extensive stress testing on the DC (compiled version, not 
> > packaged one) and I confirm that it works very well.
> 
> Yes, i also have results here and reports from others that the DC and
> members work great. ( it all works great ) Only for me its not
> production ready due to the resolving Guest bug. 
> 
> > 
> > [1] 
> > https://dev.tranquil.it/wiki/SAMBA_-_Installation_d%27un_nouveau_serveur_de_fichiers_Samba4#Configuration_smb.conf
> 
> >(Rowland) 
> >Your wiki page needs updating, all supported Samba versions now use a
> >slightly different 'ad' setup and I wish I knew who thought it was
> >good idea to recommend putting the '*' domain above the 'DOMAIN'
> >domain.
> 
> Good point, one to note in a config to never do that, but can you
> explain more? If * is above the DOMAIN, i dont see anything wrong
> with that.

There is nothing intrinsically wrong with putting the '*' domain above
the 'DOMAIN' domain. The problem lies if/when you have a large domain.

If we look at Denis's 'rid' lines:

   idmap config *:backend = tdb
   idmap config *:range = 700001-800000
   idmap config MONDOMAINE:backend  = rid
   idmap config MONDOMAINE:range  = 10000-700000

Now remember LMBD, this is required so that there can be very large
domains, but, with the lines above, the domain is limited to '690000'
users. 
You might think this is a large number, but what happens if you do
reach user '700001'. The answer is, you cannot have a 'MONDOMAINE' user
with the ID '700001' with the lines above.

If you read the documentation, the '*' is for the 'Well Known SIDs' and
anything outside any named domains, in the above case, the 'MONDOMAINE'
domain. There are less than 200 'Well Known SIDs', so why would you
need '99999' ID's for the '*' domain ?

So my suggestion is, put the '*' domain below any 'DOMAIN' domains and
allow for local Unix users (just in case something goes wrong), hence
why it shows this on the Samba wiki:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999

Rowland

More information about the samba-technical mailing list