[Samba] Man page for idmap_rid

Michael Adam obnox at samba.org
Tue Aug 9 17:48:10 UTC 2016 

On 2016-08-09 at 11:58 -0300, francis picabia via samba wrote:
> On Tue, Aug 9, 2016 at 10:21 AM, Rowland Penny <rpenny at samba.org> wrote:
> 
> > On Tue, 9 Aug 2016 09:37:13 -0300
> > francis picabia <fpicabia at gmail.com> wrote:
> >
> > > Thanks for the detailed response.
> > >
> > > It is very extensive for my purposes, but it still feels over
> > > analytical for what we need.  I believe the Unix UID doesn't exceed
> > > 65534. If this is a constant, why don't we just produce an example
> > > for that? Out of the box, this is what many users will want to use.
> > >
> > > I don't understand when we want values to never overlap and when
> > > we want them to be in a matching range.
> > >
> > > I would think this setting would work for everyone not using NIS or
> > > LDAP in nsswitch:
> > >
> > >    idmap config *:backend = tdb
> > >    idmap config *:range = 100001-110000
> > >    idmap config MYDOM : backend = rid
> > >    idmap config MYDOM : range = 65535-100000
> >
> > The only problem with that is, what happens if you do manage to get to
> > user '100001' in 'MYDOM' ?
> >
> > This would probably be better:
> >    idmap config *:backend = tdb
> >    idmap config *:range = 65535-100000
> >    idmap config MYDOM : backend = rid
> >    idmap config MYDOM : range = 100001-110000
> >
> > This way, if you ever get to 'MYDOM' user '110001', you can just extend
> > the range in smb.conf.
> >
> > However, a better way would be to find out who set nobody/nogroup to
> > '65534' (there was probably a logical reason at the time it was set)
> > and get it changed to '499' or whatever. Anybody know who to contact ?
> >
> 
> I'm entertaining all your suggestions of workarounds and values.
> 
> I've changed nobody to UID and GID 499 in /etc/passwd and /etc/groups
> It had no conflicts with another user.  However nobody doesn't exist in AD.

Why are you so keen on starting a range directly above the
smallest used id number from the files?

The main thing is not to overlap.
It is OK to have gaps! :-)

Also, afaik, nothing prvents you from adding
a user of uid 1000000 into your passwd file.
There is just *no* recipe that fits everyone.
Hence the general instructions in the manpage...

I personally like to give winbind high up ranges
starting in the 100s of 1000s or even in the millions.

> Now testparam reports:
> 
> # testparm /etc/samba/smb.conf
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> 
> Press enter to see a dump of your service definitions
> 
> # Global parameters
> [global]
>         workgroup = MYDOM
>         realm = AD.MYDOM.CA
>         server string = Debian2 Server
>         security = ADS
>         log file = /var/log/samba/%m.log
>         max log size = 50
>         unix extensions = No
>         load printers = No
>         printcap name = /dev/null
>         disable spoolss = Yes
>         dns proxy = No
>         winbind use default domain = Yes

Recommendation: avoid this by all means if possible.
It typically only creates problems by introducing
abiguity.

>         idmap config mydom : range = 100001-110000
>         idmap config mydom : backend = rid
>         idmap config *:range = 65535-100000
>         idmap config * : backend = tbd

Typo in the config? tdb <--> tbd ?

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20160809/5ab1bf42/signature.sig>

More information about the samba mailing list