[Samba] Man page for idmap_rid
Rowland Penny
rpenny at samba.org
Tue Aug 9 13:21:32 UTC 2016
On Tue, 9 Aug 2016 09:37:13 -0300
francis picabia <fpicabia at gmail.com> wrote:
> Thanks for the detailed response.
>
> It is very extensive for my purposes, but it still feels over
> analytical for what we need. I believe the Unix UID doesn't exceed
> 65534. If this is a constant, why don't we just produce an example
> for that? Out of the box, this is what many users will want to use.
>
> I don't understand when we want values to never overlap and when
> we want them to be in a matching range.
>
> I would think this setting would work for everyone not using NIS or
> LDAP in nsswitch:
>
> idmap config *:backend = tdb
> idmap config *:range = 100001-110000
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 65535-100000
The only problem with that is, what happens if you do manage to get to
user '100001' in 'MYDOM' ?
This would probably be better:
idmap config *:backend = tdb
idmap config *:range = 65535-100000
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 100001-110000
This way, if you ever get to 'MYDOM' user '110001', you can just extend
the range in smb.conf.
However, a better way would be to find out who set nobody/nogroup to
'65534' (there was probably a logical reason at the time it was set)
and get it changed to '499' or whatever. Anybody know who to contact ?
>
> I've set that and restarted nmbd, smbd and winbind services
>
> When I do a wbinfo look up on my user with a UID of 1000, it has this:
>
> theusername:*:16777216:16777220:The
> Username:/home/MYDOM/theusername:/bin/false
Those numbers look suspiciously like what I used to get out of sssd,
are you also running this ?
>
> Is this set up well or do I want the upper range to overlap with
> 16777216?
You cannot have ranges that overlap, if you had something like this:
idmap config *:backend = tdb
idmap config *:range = 2000-10000
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 9000-11000
Now, there are two users with the RIDs 9999 and 2999, the first is a
member of the '*' domain and the second is a member of 'MYDOM' domain
As the algorithm to calculate the Unix ID is this:
ID = RID + LOW_RANGE_ID
We get two calculations
9999 + 2000 = ID
2999 + 9000 = ID
ID in both cases will be '11999' so how is Unix to know which user is
which ?
Rowland
More information about the samba
mailing list