[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..

Andrey Repin anrdaemon at yandex.ru
Thu Apr 30 17:41:41 MDT 2015

Greetings, Bjoern Jacke!

> On 2015-04-30 at 11:35 +0200 L.P.H. van Belle sent off:
>> I can totaly agree with that, having multiple users with the same id isnt what we want,
>> but samba needs at some point root rights, for creating folders/files. 
>> Now we have a "chicken and the egg problem" which one comes first?

> I don't see much reasons why DOMAIN\administrator should have need root rights
> by uid 0 on a member server.

This is not about administrator or a member server.
This is about conflicts between idmap and sam.
If you provision domain anew, it may not be apparent, but if you do an
upgrade, you get conflicts from the start, because provision assign some UIDs
in 30'000 range into idmap.ldb, and then import old users with the same 30'000
range UID's into SAM.

Why separate idmap even exists in first place? To ask for troubles?
What prevents from always provisioning with RFC 2307?

> If you really need any kind of extra privileges on
> a member server then there is net sam rights for that. The "admin users"
> parameter is another hackish option. There is no chicken egg problem.

Or, you know, just add domain admins as sudo group.

With best regards,
Andrey Repin
Friday, May 1, 2015 02:26:27

Sorry for my terrible english...

More information about the samba mailing list