[Samba] Failed to find domain Unix Group
Carlos A. P. Cunha
carlos.hollow at gmail.com
Wed Jul 13 13:52:08 UTC 2016
Thank you for the explanation.
Yes, it was a mistake to leave my two faxias that way, by the ID
exchange reason the low range will leave as it was to have no problems
idmap config SERVERAD: range = 5000-33554431
The range of up'm thinking of changing to something
idmap config *: range = 2000-4500
Not to be superimposed.
But it will it not cause problem ids trading again? Since it was before
both inciado in 50000
The procimo server will not make this mistake.
Final doubt, I promise heheh :-D
Thanks
Em 13-07-2016 10:32, Rowland penny escreveu:
> On 13/07/16 13:33, Carlos A. P. Cunha wrote:
>>
>> I got it, so it must have been the problem ..
>> Strange that changed it more than one month at least.
>> Having these values now, how do you think I do?
>> Leave it or change at least the idmap config * values: range?
>>
>> I understand the parameters:
>>
>> idmap config *: range = Range of the Ids are User system
>>
>> idmap config SERVERAD: range: DC User Range
>>
>> Thank you
>>
>>
>> Em 13-07-2016 05:16, Rowland penny escreveu:
>>> On 13/07/16 03:20, Carlos A. P. Cunha wrote:
>>>>
>>>> Can return old id, returning the old values (changed the most at
>>>> least two months)
>>>>
>>>> idmap config *: backend = tdb
>>>> idmap config *:range = 5000-16777216
>>>> idmap config SERVERAD: backend = rid
>>>> idmap config SERVERAD: range = 5000-33554431
>>>>
>>>> The error parrou also, but I think the fact that a group with the
>>>> same ID / GID if the User to the fact that the idmap values be
>>>> crossing, even so I changed them (mentioned above)
>>>>
>>>> Thank you
>>>>
>>>>
>>>
>>> Do not change the lower range value on a Samba fileserver once set,
>>> you can raise the upper value, but there is a proviso, the ranges
>>> must not overlap. This means your lines above are invalid, they both
>>> start at '5000' and the entire '*' range is inside the 'SERVERAD' range.
>>>
>>> If you change the lower range and you are using the 'rid' backend,
>>> all your IDs will change.
>>>
>>> Rowland
>>>
>>
>
> OK, you need to find out just who owns what on your systems, if you
> find that something belongs to a number or to a user that it
> shouldn't, then you have problems.
>
> If you look on the Samba wiki page for setting up a domain member, you
> will find this for using the 'rid' backend:
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain SAMDOM
> idmap config SAMDOM:backend = rid
> idmap config SAMDOM:range = 10000-99999
>
> The ranges were chosen for a reason, the '*' range '2000-9999' is
> large enough for any windows SID-RIDS that need mapping and leaves
> room below the range for any local Unix users that may be required.
> The domain range starts at '10000', this is also the standard start
> number if you use ADUC & the Unix Attributes tab. If needed, the range
> can be extended by raising '99999' to whatever is required, this can
> be done whenever required, just don't change '10000'
>
> If practicable, you could use the above ranges, but if it takes less
> work to keep the ranges you are using now, then stay with them, what I
> am trying to say is, go with whatever is easiest, just make sure that
> ranges do not overlap.
>
> Rowland
>
More information about the samba
mailing list