[Samba] NT_STATUS_INVALID_SID
Ryan Ashley
ryana at reachtechfp.com
Thu Oct 27 19:52:09 UTC 2016
Slightly off-topic, but I thought setting those set the limits for going
into the NIS attributes tab in Windows. I understood the Samba wiki to
explain that using those lines is how you set the upper and lower limits
that Windows sees and uses. Is this incorrect?
Lead IT/IS Specialist
Reach Technology FP, Inc
On 10/27/2016 03:42 PM, Rowland Penny via samba wrote:
> On Thu, 27 Oct 2016 17:23:43 -0200
> Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:
>
>> Hi Rowland,
>>
>> Just to let you know, we removed all the idmap entries we had on
>> the smb.conf of our two DCs and the ids reported by getent passwd at
>> the DCs were in the 3.000.000 range, as you said. We had to add back
>> 'idmap_ldb:use rfc2307 = yes' to get the user listing with the
>> original numbers on the DCs.
>>
>> Here's what we commented out on the configurationfiles.
>>
>> # Default idmap config used for BUILTIN and local
>> accounts/groups #idmap config *:backend = ad
>> #idmap config *:range = 2000-9999
>>
>> # idmap config for domain E-TRUST
>> #idmap config E-TRUST:backend = ad
>> #idmap config E-TRUST:schema_mode = rfc2307
>> #idmap config E-TRUST:range = 10000-40000
>> #idmap cache time = 1
>> #idmap negative cache time = 1
>> #winbind cache time = 1
>> idmap_ldb:use rfc2307 = yes
>>
>
> Yes those are the lines you should only have on a domain member (aka
> fileserver, printserver). The only idmap line you should have on a DC is
> the 'idmap_ldb:use rfc2307 = yes' line, without this line, rfc2307
> will not be used and unfortunately it is not added automatically to
> any DCs that are joined to the domain.
>
> Rowland
>
>
More information about the samba
mailing list