[Samba] idmap configuration after initial deployment needed?
Rowland Penny
rowlandpenny at googlemail.com
Wed Oct 15 09:51:01 MDT 2014
On 15/10/14 16:24, James wrote:
> Hello,
>
> Using Ubuntu 12.04 with Samba 4.1.11. I'm currently redirecting
> windows folders to a Samba DC. This DC is not the one that was
> deployed first. Based on discussions from another thread I copied the
> idmap.ldb from the initial DC to the others that are deployed. I
> noticed upon doing so the file permissions on the shares were broken.
> As in existing users were unable to see their documents or make
> modifications to them. I deleted them from the ACL list and reapplied
> their appropriate permissions. This corrected that issue.
>
> I also noticed that an issue I had with applying GPO's to users at
> remote sites was now working again after making this change. With all
> that being said. I was under the impressions that I only needed to add
> idmap configurations to my smb.conf if I was using a member server to
> handle shares from linux/unix users or workstations. I appear to be
> wrong? Thanks for any assistance.
>
The problem starts with what microsoft calls 'Well-known security
identifiers', these are mapped on the DC to xidNumbers, now where ever
you go in AD, on a windows machine 'S-1-5-32-544' is the Administrators
group, but as I said, on the DC this is mapped to an xidNumber, only
problem is that you do not seem to get the same xidNumber on every
samba4 DC, this is why idmap.ldb needs to copied from the first DC.
There was some talk about mapping these SID's to a set group of numbers,
but that is as far as it got, the problem being just what numbers to map
them to or how to map them so that samba admins could choose the
starting base.
Rowland
More information about the samba
mailing list