[Samba] Man page for idmap_rid
obnox at samba.org
Tue Aug 9 17:48:10 UTC 2016
On 2016-08-09 at 11:58 -0300, francis picabia via samba wrote:
> On Tue, Aug 9, 2016 at 10:21 AM, Rowland Penny <rpenny at samba.org> wrote:
> > On Tue, 9 Aug 2016 09:37:13 -0300
> > francis picabia <fpicabia at gmail.com> wrote:
> > > Thanks for the detailed response.
> > >
> > > It is very extensive for my purposes, but it still feels over
> > > analytical for what we need. I believe the Unix UID doesn't exceed
> > > 65534. If this is a constant, why don't we just produce an example
> > > for that? Out of the box, this is what many users will want to use.
> > >
> > > I don't understand when we want values to never overlap and when
> > > we want them to be in a matching range.
> > >
> > > I would think this setting would work for everyone not using NIS or
> > > LDAP in nsswitch:
> > >
> > > idmap config *:backend = tdb
> > > idmap config *:range = 100001-110000
> > > idmap config MYDOM : backend = rid
> > > idmap config MYDOM : range = 65535-100000
> > The only problem with that is, what happens if you do manage to get to
> > user '100001' in 'MYDOM' ?
> > This would probably be better:
> > idmap config *:backend = tdb
> > idmap config *:range = 65535-100000
> > idmap config MYDOM : backend = rid
> > idmap config MYDOM : range = 100001-110000
> > This way, if you ever get to 'MYDOM' user '110001', you can just extend
> > the range in smb.conf.
> > However, a better way would be to find out who set nobody/nogroup to
> > '65534' (there was probably a logical reason at the time it was set)
> > and get it changed to '499' or whatever. Anybody know who to contact ?
> I'm entertaining all your suggestions of workarounds and values.
> I've changed nobody to UID and GID 499 in /etc/passwd and /etc/groups
> It had no conflicts with another user. However nobody doesn't exist in AD.
Why are you so keen on starting a range directly above the
smallest used id number from the files?
The main thing is not to overlap.
It is OK to have gaps! :-)
Also, afaik, nothing prvents you from adding
a user of uid 1000000 into your passwd file.
There is just *no* recipe that fits everyone.
Hence the general instructions in the manpage...
I personally like to give winbind high up ranges
starting in the 100s of 1000s or even in the millions.
> Now testparam reports:
> # testparm /etc/samba/smb.conf
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
> # Global parameters
> workgroup = MYDOM
> realm = AD.MYDOM.CA
> server string = Debian2 Server
> security = ADS
> log file = /var/log/samba/%m.log
> max log size = 50
> unix extensions = No
> load printers = No
> printcap name = /dev/null
> disable spoolss = Yes
> dns proxy = No
> winbind use default domain = Yes
Recommendation: avoid this by all means if possible.
It typically only creates problems by introducing
> idmap config mydom : range = 100001-110000
> idmap config mydom : backend = rid
> idmap config *:range = 65535-100000
> idmap config * : backend = tbd
Typo in the config? tdb <--> tbd ?
Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: not available
More information about the samba