[Samba] IDMAP Issue

Shaun Glass shaunglass at gmail.com
Thu Jul 14 12:57:05 UTC 2016 

Thanks very much ...

On Thu, Jul 14, 2016 at 2:50 PM, Rowland penny <rpenny at samba.org> wrote:

> On 14/07/16 13:33, Shaun Glass wrote:
>
> ... no, no sssd.
>
> Basically we had :
>
> id -a "localuser"
> uid=17057
>
> id -a "ABC+aduser"
> uid=17057
>
> ... file ownership started getting wrecked so we are looking for a way to
> correct.
>
> On Thu, Jul 14, 2016 at 2:26 PM, Rowland penny <rpenny at samba.org> wrote:
>
>> On 14/07/16 11:01, Shaun Glass wrote:
>>
>> ... as follows :
>>
>> rpm -qa | grep samba
>> samba-3.6.23-35.el6_8.x86_64
>> samba-common-3.6.23-35.el6_8.x86_64
>> samba-winbind-clients-3.6.23-35.el6_8.x86_64
>> samba-winbind-3.6.23-35.el6_8.x86_64
>>
>> [global]
>>     workgroup = ABC
>>     realm = ABC.COM
>>     security = ADS
>>     restrict anonymous = 1
>>     log file = /var/log/samba/log.%m
>>     max log size = 50
>>     client signing = required
>>     server signing = Yes
>>     socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>>     dns proxy = No
>>     wins server = x.x.x.x
>>     socket address = x.x.x.x
>>     winbind separator = +
>>     winbind enum users = Yes
>>     winbind enum groups = Yes
>>     idmap config * : range = 10000-20000
>>     idmap config * : backend = tdb
>>
>> On Thu, Jul 14, 2016 at 11:47 AM, Rowland penny < <rpenny at samba.org>
>> rpenny at samba.org> wrote:
>>
>>> On 14/07/16 09:34, Shaun Glass wrote:
>>>
>>>> Good Day All,
>>>>
>>>> We have an issue where the following in smb.conf :
>>>>
>>>> idmap uid = 10000-20000
>>>>
>>>> ... it is resulting in assigned id's clashing with id's in passwd. What
>>>> are
>>>> the repercussions should we change to say the following :
>>>>
>>>> idmap uid = 20000-30000
>>>>
>>>> Many thanks.
>>>>
>>>> Regards
>>>>
>>>> Shaun
>>>>
>>>
>>> What version of Samba ?
>>> idmap uid (and gid) are depreciated in later versions of Samba, it may
>>> help if you post the entire [global] section of your smb.conf.
>>>
>>> What ever the version of Samba, raising the lower level wouldn't really
>>> be a good idea, any saved files belonging to an ID in the range 10000-20000
>>> would lose their owners.
>>>
>>> Rowland
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>> You initially asked about 'idmap uid', but I don't see it in your
>> smb.conf, what I do see is:
>>
>>     idmap config * : range = 10000-20000
>>     idmap config * : backend = tdb
>>
>> The '*' is for the BUILTIN users & groups etc
>> I don't see anything for the Domain users & groups, are you also running
>> sssd ?
>> If so, you don't need winbind.
>>
>> Rowland
>>
>>
>
> With AD, you do not need local Unix users and in fact, you cannot have a
> user in AD and /etc/passwd (same goes for groups)
> It would seem that you have a large number of local Unix users in
> /etc/passwd and your computer is joined to AD and as you have discovered,
> giving a user an ID based around a range that is also in use by the local
> computer is bound to cause problems.
>
> Can I suggest you move to the 'idmap config' setup using the 'rid'
> backend, see here for info:
>
> https://wiki.samba.org/index.php/Idmap_config_rid
>
> Just change the 'SAMDOM' range to suit your computer i.e. find out the
> highest UID & GID, and then make sure sure the range starts well above this.
>
> If you have any users in /etc/passwd that are also in AD i.e if you have
> user 'fred' in /etc/passwd and there is also a user 'ABC+fred' in AD, then
> sorry, but one of them will have to go, they would be treated as the same
> user.
>
> If there are any files etc owned by a local Unix user and they should be
> owned by an AD user (and visa-versa), you will need to sort them out after
> you sort the user problem out.
>
> Rowland
>
>

More information about the samba mailing list