[Samba] Samba 3.0.28a onwards "allow trusted domains" has no effect?

Hari Sekhon hpsekhon at googlemail.com
Wed Sep 10 14:56:48 GMT 2008


Volker Lendecke wrote:
> On Wed, Sep 10, 2008 at 12:44:43PM +0000, simo wrote:
>   
>> and optionally (to avoid a 1000 ids hole at the start of each range):
>> idmap config PRIMARYDOMAIN:base_rid = 1000
>> idmap config OTHERDOMAIN:base_rid = 1000
>>     
>
> I'd stronly recomment not to use base_rid=1000, because in
> many configurations "Domain Users" is the default primary
> group ID of users. As the well-known RID of "domain users"
> is 513, this prevents all these users from logging in, as
> winbind will not be able to map the primary group's RID
> anymore.
>
> Volker
>   
Thanks for the pointer, I didn't use that setting as I think it's nicer 
to have a very clear mapping like your uid is your sid plus ten 
thousand. Simple to keep in mind.

-h

-- 
Hari Sekhon



More information about the samba mailing list