[Samba] Man page for idmap_rid
francis picabia
fpicabia at gmail.com
Tue Aug 9 14:58:42 UTC 2016
On Tue, Aug 9, 2016 at 10:21 AM, Rowland Penny <rpenny at samba.org> wrote:
> On Tue, 9 Aug 2016 09:37:13 -0300
> francis picabia <fpicabia at gmail.com> wrote:
>
> > Thanks for the detailed response.
> >
> > It is very extensive for my purposes, but it still feels over
> > analytical for what we need. I believe the Unix UID doesn't exceed
> > 65534. If this is a constant, why don't we just produce an example
> > for that? Out of the box, this is what many users will want to use.
> >
> > I don't understand when we want values to never overlap and when
> > we want them to be in a matching range.
> >
> > I would think this setting would work for everyone not using NIS or
> > LDAP in nsswitch:
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 100001-110000
> > idmap config MYDOM : backend = rid
> > idmap config MYDOM : range = 65535-100000
>
> The only problem with that is, what happens if you do manage to get to
> user '100001' in 'MYDOM' ?
>
> This would probably be better:
> idmap config *:backend = tdb
> idmap config *:range = 65535-100000
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 100001-110000
>
> This way, if you ever get to 'MYDOM' user '110001', you can just extend
> the range in smb.conf.
>
> However, a better way would be to find out who set nobody/nogroup to
> '65534' (there was probably a logical reason at the time it was set)
> and get it changed to '499' or whatever. Anybody know who to contact ?
>
I'm entertaining all your suggestions of workarounds and values.
I've changed nobody to UID and GID 499 in /etc/passwd and /etc/groups
It had no conflicts with another user. However nobody doesn't exist in AD.
Now testparam reports:
# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = MYDOM
realm = AD.MYDOM.CA
server string = Debian2 Server
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
unix extensions = No
load printers = No
printcap name = /dev/null
disable spoolss = Yes
dns proxy = No
winbind use default domain = Yes
idmap config mydom : range = 100001-110000
idmap config mydom : backend = rid
idmap config *:range = 65535-100000
idmap config * : backend = tbd
nt acl support = No
printing = bsd
[homes]
comment = Home Directories
path = %H
read only = No
create mask = 0700
directory mask = 0700
browseable = No
wide links = Yes
Restarted smbd and winbind.
$ smbclient -L //debian2 -U username
Enter username's password:
session setup failed: NT_STATUS_UNSUCCESSFUL
Logfile for client's IP ends:
[2016/08/09 11:48:32.793696, 1]
../source3/auth/token_util.c:430(add_local_groups)
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
[2016/08/09 11:48:32.793746, 3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
Failed to finalize nt token
There don't seem to be any values which can dodge this bug. Maybe there
were
for awhile, but in the meantime, security patches have changed things.
> >
> > I've set that and restarted nmbd, smbd and winbind services
> >
> > When I do a wbinfo look up on my user with a UID of 1000, it has this:
> >
> > theusername:*:16777216:16777220:The
> > Username:/home/MYDOM/theusername:/bin/false
>
> Those numbers look suspiciously like what I used to get out of sssd,
> are you also running this ?
>
>
There is no sssd. No process, no package installed.
More information about the samba
mailing list