[Samba] Man page for idmap_rid

francis picabia fpicabia at gmail.com
Tue Aug 9 18:05:34 UTC 2016


On Tue, Aug 9, 2016 at 2:48 PM, Michael Adam <obnox at samba.org> wrote:

> On 2016-08-09 at 11:58 -0300, francis picabia via samba wrote:
> > On Tue, Aug 9, 2016 at 10:21 AM, Rowland Penny <rpenny at samba.org> wrote:
> >
> > > On Tue, 9 Aug 2016 09:37:13 -0300
> > > francis picabia <fpicabia at gmail.com> wrote:
> > >
> > > > Thanks for the detailed response.
> > > >
> > > > It is very extensive for my purposes, but it still feels over
> > > > analytical for what we need.  I believe the Unix UID doesn't exceed
> > > > 65534. If this is a constant, why don't we just produce an example
> > > > for that? Out of the box, this is what many users will want to use.
> > > >
> > > > I don't understand when we want values to never overlap and when
> > > > we want them to be in a matching range.
> > > >
> > > > I would think this setting would work for everyone not using NIS or
> > > > LDAP in nsswitch:
> > > >
> > > >    idmap config *:backend = tdb
> > > >    idmap config *:range = 100001-110000
> > > >    idmap config MYDOM : backend = rid
> > > >    idmap config MYDOM : range = 65535-100000
> > >
> > > The only problem with that is, what happens if you do manage to get to
> > > user '100001' in 'MYDOM' ?
> > >
> > > This would probably be better:
> > >    idmap config *:backend = tdb
> > >    idmap config *:range = 65535-100000
> > >    idmap config MYDOM : backend = rid
> > >    idmap config MYDOM : range = 100001-110000
> > >
> > > This way, if you ever get to 'MYDOM' user '110001', you can just extend
> > > the range in smb.conf.
> > >
> > > However, a better way would be to find out who set nobody/nogroup to
> > > '65534' (there was probably a logical reason at the time it was set)
> > > and get it changed to '499' or whatever. Anybody know who to contact ?
> > >
> >
> > I'm entertaining all your suggestions of workarounds and values.
> >
> > I've changed nobody to UID and GID 499 in /etc/passwd and /etc/groups
> > It had no conflicts with another user.  However nobody doesn't exist in
> AD.
>
> Why are you so keen on starting a range directly above the
> smallest used id number from the files?
>

I'd like to see it documented in plain terms, not formula where
few people know what "rid in sid" means.  It seems to me if
it were documented for the type security = ads case for
Linux, this would be a template to start with, and not
looking for magic values as many users have come to
rely on (see the Samba and Debian bug reports for people
who think the range beginning at 1000 was some magic solution).

Look, you get into your car, and do you look at an RPM value
and gear indicator, compute the tire size P215R16
and figure out the speed?  No, there is a calibrated instrument for it.

Well, what is sitting in front of us, a frigging computer!

Why can't samba/winbind look at nsswitch, determine there is
nothing like NIS and LDAP, lookup the UID values in /etc/passwd,
and make ranges on the fly?  The end user does not care
what their values are - they only want "Map Network Drive"
to work and get something done.  I suspect the computer
on Apollo missions could have achieved this range computation.


>
> The main thing is not to overlap.
> It is OK to have gaps! :-)
>
> Also, afaik, nothing prvents you from adding
> a user of uid 1000000 into your passwd file.
>


> There is just *no* recipe that fits everyone.
> Hence the general instructions in the manpage...
>
> I personally like to give winbind high up ranges
> starting in the 100s of 1000s or even in the millions.
>
> > Now testparam reports:
> >
> > # testparm /etc/samba/smb.conf
> > Load smb config files from /etc/samba/smb.conf
> > Processing section "[homes]"
> > Loaded services file OK.
> > Server role: ROLE_DOMAIN_MEMBER
> >
> > Press enter to see a dump of your service definitions
> >
> > # Global parameters
> > [global]
> >         workgroup = MYDOM
> >         realm = AD.MYDOM.CA
> >         server string = Debian2 Server
> >         security = ADS
> >         log file = /var/log/samba/%m.log
> >         max log size = 50
> >         unix extensions = No
> >         load printers = No
> >         printcap name = /dev/null
> >         disable spoolss = Yes
> >         dns proxy = No
> >         winbind use default domain = Yes
>
> Recommendation: avoid this by all means if possible.
> It typically only creates problems by introducing
> abiguity.
>

Avoid the use of the * plus domain name?  I'd agree, but this
is how it is documented, so I'm trying to play along and
see if magic beans fall out of the sky and it works, like
it does for the other users who have found magic solutions.


> >         idmap config mydom : range = 100001-110000
> >         idmap config mydom : backend = rid
> >         idmap config *:range = 65535-100000
> >         idmap config * : backend = tbd
>
> Typo in the config? tdb <--> tbd ?
>

I've tried with only the rid backend and always the same behaviour.  It is
a documented bug.


>
> Cheers - Michael
>


More information about the samba mailing list