[Samba] IDMAP Issue
Rowland penny
rpenny at samba.org
Thu Jul 14 12:50:55 UTC 2016
On 14/07/16 13:33, Shaun Glass wrote:
> ... no, no sssd.
>
> Basically we had :
>
> id -a "localuser"
> uid=17057
>
> id -a "ABC+aduser"
> uid=17057
>
> ... file ownership started getting wrecked so we are looking for a way
> to correct.
>
> On Thu, Jul 14, 2016 at 2:26 PM, Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org>> wrote:
>
> On 14/07/16 11:01, Shaun Glass wrote:
>> ... as follows :
>>
>> rpm -qa | grep samba
>> samba-3.6.23-35.el6_8.x86_64
>> samba-common-3.6.23-35.el6_8.x86_64
>> samba-winbind-clients-3.6.23-35.el6_8.x86_64
>> samba-winbind-3.6.23-35.el6_8.x86_64
>>
>> [global]
>> workgroup = ABC
>> realm = ABC.COM <http://ABC.COM>
>> security = ADS
>> restrict anonymous = 1
>> log file = /var/log/samba/log.%m
>> max log size = 50
>> client signing = required
>> server signing = Yes
>> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>> dns proxy = No
>> wins server = x.x.x.x
>> socket address = x.x.x.x
>> winbind separator = +
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> idmap config * : range = 10000-20000
>> idmap config * : backend = tdb
>>
>> On Thu, Jul 14, 2016 at 11:47 AM, Rowland penny <rpenny at samba.org
>> <mailto:rpenny at samba.org>> wrote:
>>
>> On 14/07/16 09:34, Shaun Glass wrote:
>>
>> Good Day All,
>>
>> We have an issue where the following in smb.conf :
>>
>> idmap uid = 10000-20000
>>
>> ... it is resulting in assigned id's clashing with id's
>> in passwd. What are
>> the repercussions should we change to say the following :
>>
>> idmap uid = 20000-30000
>>
>> Many thanks.
>>
>> Regards
>>
>> Shaun
>>
>>
>> What version of Samba ?
>> idmap uid (and gid) are depreciated in later versions of
>> Samba, it may help if you post the entire [global] section of
>> your smb.conf.
>>
>> What ever the version of Samba, raising the lower level
>> wouldn't really be a good idea, any saved files belonging to
>> an ID in the range 10000-20000 would lose their owners.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and
>> read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
> You initially asked about 'idmap uid', but I don't see it in your
> smb.conf, what I do see is:
>
> idmap config * : range = 10000-20000
> idmap config * : backend = tdb
>
> The '*' is for the BUILTIN users & groups etc
> I don't see anything for the Domain users & groups, are you also
> running sssd ?
> If so, you don't need winbind.
>
> Rowland
>
>
With AD, you do not need local Unix users and in fact, you cannot have a
user in AD and /etc/passwd (same goes for groups)
It would seem that you have a large number of local Unix users in
/etc/passwd and your computer is joined to AD and as you have
discovered, giving a user an ID based around a range that is also in use
by the local computer is bound to cause problems.
Can I suggest you move to the 'idmap config' setup using the 'rid'
backend, see here for info:
https://wiki.samba.org/index.php/Idmap_config_rid
Just change the 'SAMDOM' range to suit your computer i.e. find out the
highest UID & GID, and then make sure sure the range starts well above this.
If you have any users in /etc/passwd that are also in AD i.e if you have
user 'fred' in /etc/passwd and there is also a user 'ABC+fred' in AD,
then sorry, but one of them will have to go, they would be treated as
the same user.
If there are any files etc owned by a local Unix user and they should be
owned by an AD user (and visa-versa), you will need to sort them out
after you sort the user problem out.
Rowland
More information about the samba
mailing list