[Samba] [samba] idmap question

L.P.H. van Belle belle at bazuin.nl
Thu Aug 10 10:19:36 UTC 2017

Hai Mathias, 

Type:  wbinfo --all-domains 

You should see 3 domainnames. 

BUILTIN	=> idmap config *
HOSTNAME	=> ? Dont know where this one maps to. 
NTDOM		=> idmap config NTDOM

I use for example ( for debian ) the following.
I use this as followed. 
    ## map id's outside to NT domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-2999

    ## map ids from the domain and (*) the range may not overlap !
    idmap config NTDOM : backend = ad
    idmap config NTDOM : schema_mode = rfc2307
    idmap config NTDOM : range = 10000-3999999

And i think, but i never use that you can match the hostname also. 
	idmap config HOSTNAME : backend = tdb
      idmap config HOSTNAME : range = 3000-9999
! But I cant confirm about the "HOSTNAME" part if thats 100% correct. 

Id 0-1999   (local linux users) 0-999 for system users (*this can differ on an other os. ) 
2000-2999	BUILDIN\......   ( example is BUILDIN\administrators) 
3000-9999	HOSTNAME\ ? 
10000-99999	NTDOM\users  i start here at 10.000 because samba backend AD starts also at 10.000.

Now "NTDOM\Domain Admins" is member of : BUILDIN\administrators
And "NTDOM\Domain users" is member of : BUILDIN\users

SePrivileges should be set on : BUILDIN\administrators, and not as most examples show "domain admins" 
And because of this you should always set : winbind expand groups = 2
But I preffer winbind expand groups = 4
Backtrace for example very thing backup related and see which groups are used and with SePrivileges you should set.

For me this has advantages, like.
Restricting logins based on linux and windows group/users, of uid/gid ranges. 
And for me more flexability in use of winbind or ldap things.

(an example, sshd_config: AllowGroups linuxsshgroup winsshgroup) 
* Note: for this user and group MUST have a gid.
This also matches pam restrictions better, kerberos had minimal of uid=1000 

For RID its the same, but see AD/RID advantages and disadvantages also. 

Hope this helps a bit. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> mathias dufresne via samba
> Verzonden: donderdag 10 augustus 2017 11:44
> Aan: samba
> Onderwerp: [Samba] [samba] idmap question
> Hi all,
> What is the real purpose if the following lines when using 
> idmap-rid or
> idmap-ad:
> # Default idmap config for local BUILTIN accounts and groups 
> idmap config * : backend = tdb idmap config * : range = 3000-7999
> When using the next two lines
> # idmap config for the SAMDOM domain
> idmap config SAMDOM : backend = rid [or ad] idmap config 
> SAMDOM : range = 10000-999999
> AD users will be in range 10000-999999, /etc/passwd would be 
> in range 0-2999, what kind of users would be added in range 3000-7999?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list