[Samba] Automatic creation of local users

Rowland Penny rpenny at samba.org
Tue Dec 20 09:18:01 UTC 2016 

On Tue, 20 Dec 2016 10:03:28 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> > When I commented out the ?idmap config SUBDOMAIN:range = 1000 ?
> > 20000? line, I was able to connect, even with a username that
> > didn?t already exist on the Samba server.
> About that 

The user got mapped by the '*' domain

> 
> >         idmap config *:backend = tdb
> >         idmap config *:range = 30000 - 40000
> 
> >         idmap config SUBDOMAIN:backend = ad
> >         idmap config SUBDOMAIN:schema_mode = rfc2307
> >         idmap config SUBDOMAIN:range = 1000 - 20000
> 
> So you fixed it and not disable-ing it.

No, he borked it.
 
> 
> You system used id range 0-1000+   ( and first user gets 1000 ) 
> The Windows | BUILDIN matches : idmap config *: 
> But is set to wide, it also matched the linux id's. 

I have given up worrying about things like this, if people are stupid
enough to use such low IDs. it is their look out.

> 
> Now Samba AD (with AD BACKEND) starts with idmap config DOMAIN
> 10000-999999 by default.
> 
> A prefferded layout for idmap config. 
> 
> 	# maps to windows  BUILDIN/LOCAL ID's  
>          idmap config *:backend = tdb
>          idmap config *:range = 2000 - 9999
> 	# the AD has as start 10000-99999
>          idmap config SUBDOMAIN:backend = ad
>          idmap config SUBDOMAIN:schema_mode = rfc2307
>          idmap config SUBDOMAIN:range = 10000 - 99999
> 
> with this setup you have the followin options. 
> 1) Linux ids only , range 0-1999
> 2) Linux id + Windows BUILDIN/Windows local id's. 
> 3) Windows AD id's
> 
> Now thew problem you had with your user was not because it did not
> exixt in linux, but it mismatched its id.

No, it was probably because the user didn't have a uidNumber or its
contents were invalid.
 
> 
> If you want a "linux only users" create an user and keep its id below
> 1999.

Agreed

>  If you want a linux user with but with some windows abilities,
> create a linux user with id between 2000-9999 

No, a user is either a Unix user or a windows user that is also a Unix
user. You cannot have a user in /etc/passwd and in AD.

> 
> And windows users which need linux access, gets id's between
> 10000-999999

Agreed

> 
> And if you change the id's, dont forget to clear the idmap cache
> files.

By running 'net cache flush'

Rowland

More information about the samba mailing list