[Samba] Automatic creation of local users
Rowland Penny
rpenny at samba.org
Tue Dec 20 09:18:01 UTC 2016
On Tue, 20 Dec 2016 10:03:28 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > When I commented out the ?idmap config SUBDOMAIN:range = 1000 ?
> > 20000? line, I was able to connect, even with a username that
> > didn?t already exist on the Samba server.
> About that
The user got mapped by the '*' domain
>
> > idmap config *:backend = tdb
> > idmap config *:range = 30000 - 40000
>
> > idmap config SUBDOMAIN:backend = ad
> > idmap config SUBDOMAIN:schema_mode = rfc2307
> > idmap config SUBDOMAIN:range = 1000 - 20000
>
> So you fixed it and not disable-ing it.
No, he borked it.
>
> You system used id range 0-1000+ ( and first user gets 1000 )
> The Windows | BUILDIN matches : idmap config *:
> But is set to wide, it also matched the linux id's.
I have given up worrying about things like this, if people are stupid
enough to use such low IDs. it is their look out.
>
> Now Samba AD (with AD BACKEND) starts with idmap config DOMAIN
> 10000-999999 by default.
>
> A prefferded layout for idmap config.
>
> # maps to windows BUILDIN/LOCAL ID's
> idmap config *:backend = tdb
> idmap config *:range = 2000 - 9999
> # the AD has as start 10000-99999
> idmap config SUBDOMAIN:backend = ad
> idmap config SUBDOMAIN:schema_mode = rfc2307
> idmap config SUBDOMAIN:range = 10000 - 99999
>
> with this setup you have the followin options.
> 1) Linux ids only , range 0-1999
> 2) Linux id + Windows BUILDIN/Windows local id's.
> 3) Windows AD id's
>
> Now thew problem you had with your user was not because it did not
> exixt in linux, but it mismatched its id.
No, it was probably because the user didn't have a uidNumber or its
contents were invalid.
>
> If you want a "linux only users" create an user and keep its id below
> 1999.
Agreed
> If you want a linux user with but with some windows abilities,
> create a linux user with id between 2000-9999
No, a user is either a Unix user or a windows user that is also a Unix
user. You cannot have a user in /etc/passwd and in AD.
>
> And windows users which need linux access, gets id's between
> 10000-999999
Agreed
>
> And if you change the id's, dont forget to clear the idmap cache
> files.
By running 'net cache flush'
Rowland
More information about the samba
mailing list