[Samba] Man page for idmap_rid

Rowland Penny rpenny at samba.org
Tue Aug 9 13:21:32 UTC 2016


On Tue, 9 Aug 2016 09:37:13 -0300
francis picabia <fpicabia at gmail.com> wrote:

> Thanks for the detailed response.
> 
> It is very extensive for my purposes, but it still feels over
> analytical for what we need.  I believe the Unix UID doesn't exceed
> 65534. If this is a constant, why don't we just produce an example
> for that? Out of the box, this is what many users will want to use.
> 
> I don't understand when we want values to never overlap and when
> we want them to be in a matching range.
> 
> I would think this setting would work for everyone not using NIS or
> LDAP in nsswitch:
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 100001-110000
>    idmap config MYDOM : backend = rid
>    idmap config MYDOM : range = 65535-100000

The only problem with that is, what happens if you do manage to get to
user '100001' in 'MYDOM' ?

This would probably be better:
   idmap config *:backend = tdb
   idmap config *:range = 65535-100000
   idmap config MYDOM : backend = rid
   idmap config MYDOM : range = 100001-110000

This way, if you ever get to 'MYDOM' user '110001', you can just extend
the range in smb.conf.

However, a better way would be to find out who set nobody/nogroup to
'65534' (there was probably a logical reason at the time it was set)
and get it changed to '499' or whatever. Anybody know who to contact ?
 
> 
> I've set that and restarted nmbd, smbd and winbind services
> 
> When I do a wbinfo look up on my user with a UID of 1000, it has this:
> 
> theusername:*:16777216:16777220:The
> Username:/home/MYDOM/theusername:/bin/false

Those numbers look suspiciously like what I used to get out of sssd,
are you also running this ?

> 
> Is this set up well or do I want the upper range to overlap with
> 16777216?

You cannot have ranges that overlap, if you had something like this:

   idmap config *:backend = tdb
   idmap config *:range = 2000-10000
   idmap config MYDOM : backend = rid
   idmap config MYDOM : range = 9000-11000

Now, there are two users with the RIDs 9999 and 2999, the first is a
member of the '*' domain and the second is a member of 'MYDOM' domain

As the algorithm to calculate the Unix ID is this:

 ID = RID + LOW_RANGE_ID

We get two calculations

 9999 + 2000 = ID

 2999 + 9000 = ID

ID in both cases will be '11999' so how is Unix to know which user is
which ?

Rowland



More information about the samba mailing list