[Samba] Man page for idmap_rid
fpicabia at gmail.com
Tue Aug 9 14:58:42 UTC 2016
On Tue, Aug 9, 2016 at 10:21 AM, Rowland Penny <rpenny at samba.org> wrote:
> On Tue, 9 Aug 2016 09:37:13 -0300
> francis picabia <fpicabia at gmail.com> wrote:
> > Thanks for the detailed response.
> > It is very extensive for my purposes, but it still feels over
> > analytical for what we need. I believe the Unix UID doesn't exceed
> > 65534. If this is a constant, why don't we just produce an example
> > for that? Out of the box, this is what many users will want to use.
> > I don't understand when we want values to never overlap and when
> > we want them to be in a matching range.
> > I would think this setting would work for everyone not using NIS or
> > LDAP in nsswitch:
> > idmap config *:backend = tdb
> > idmap config *:range = 100001-110000
> > idmap config MYDOM : backend = rid
> > idmap config MYDOM : range = 65535-100000
> The only problem with that is, what happens if you do manage to get to
> user '100001' in 'MYDOM' ?
> This would probably be better:
> idmap config *:backend = tdb
> idmap config *:range = 65535-100000
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 100001-110000
> This way, if you ever get to 'MYDOM' user '110001', you can just extend
> the range in smb.conf.
> However, a better way would be to find out who set nobody/nogroup to
> '65534' (there was probably a logical reason at the time it was set)
> and get it changed to '499' or whatever. Anybody know who to contact ?
I'm entertaining all your suggestions of workarounds and values.
I've changed nobody to UID and GID 499 in /etc/passwd and /etc/groups
It had no conflicts with another user. However nobody doesn't exist in AD.
Now testparam reports:
# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
workgroup = MYDOM
realm = AD.MYDOM.CA
server string = Debian2 Server
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
unix extensions = No
load printers = No
printcap name = /dev/null
disable spoolss = Yes
dns proxy = No
winbind use default domain = Yes
idmap config mydom : range = 100001-110000
idmap config mydom : backend = rid
idmap config *:range = 65535-100000
idmap config * : backend = tbd
nt acl support = No
printing = bsd
comment = Home Directories
path = %H
read only = No
create mask = 0700
directory mask = 0700
browseable = No
wide links = Yes
Restarted smbd and winbind.
$ smbclient -L //debian2 -U username
Enter username's password:
session setup failed: NT_STATUS_UNSUCCESSFUL
Logfile for client's IP ends:
[2016/08/09 11:48:32.793696, 1]
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
[2016/08/09 11:48:32.793746, 3]
Failed to finalize nt token
There don't seem to be any values which can dodge this bug. Maybe there
for awhile, but in the meantime, security patches have changed things.
> > I've set that and restarted nmbd, smbd and winbind services
> > When I do a wbinfo look up on my user with a UID of 1000, it has this:
> > theusername:*:16777216:16777220:The
> > Username:/home/MYDOM/theusername:/bin/false
> Those numbers look suspiciously like what I used to get out of sssd,
> are you also running this ?
There is no sssd. No process, no package installed.
More information about the samba