[Samba] [samba] idmap question

mathias dufresne infractory at gmail.com
Thu Aug 10 13:13:39 UTC 2017 

Thank you both for these replies.

Here, at work, "wbinfo --all-domains" gave 5 lines. Let's call MAINDOM the
domain my Samba member is joined to and TRUSTED1 and TRUSTED2 the two
others domains relied by trust relationship, the result is:

# wbinfo --all-domains
BUILTIN
HOSTNAME -> /etc/passwd & /etc/group (I think, words below about this)
MAINDOM
TRUSTED1
TRUSTED2

For me HOSTNAME is for users from /etc/passwd added with "smbpasswd -a". I
think that (and can't test yet until I'm back home but I won't have time to
verify that @home for next days) because as far as I remember, when using
"smbpasswd -a someLocalUser" there is no id mapping, the UID used is the
real one of this someLocalUser. I think that's why both range declared with
idmap directives must not overlap UID/GID from /etc/passwd and /etc/group.




2017-08-10 12:51 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Thu, 10 Aug 2017 12:19:36 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> > Hai Mathias,
> >
> > Type:  wbinfo --all-domains
> >
> > You should see 3 domainnames.
> >
> > BUILTIN       => idmap config *
> > HOSTNAME      => ? Dont know where this one maps to.
> > NTDOM         => idmap config NTDOM
>
> On a Unix domain member, I get 4
>
> BUILTIN
> HOSTNAME
> NTDOM
> EXAMPLE
>
> I have no idea where 'EXAMPLE' comes from, I have never set up any
> smb.conf that contains 'workgroup = EXAMPLE' on the Unix domain member.
>
>
Perhaps as here where there is trust relatinoship your EXAMPLE comes from
an old trust test you made?


> >
> > I use for example ( for debian ) the following.
> > I use this as followed.
> >
> >     ## map id's outside to NT domain to tdb files.
> >     idmap config *: backend = tdb
> >     idmap config *: range = 2000-2999
> >
> >     ## map ids from the domain and (*) the range may not overlap !
> >     idmap config NTDOM : backend = ad
> >     idmap config NTDOM : schema_mode = rfc2307
> >     idmap config NTDOM : range = 10000-3999999
> >
> > And i think, but i never use that you can match the hostname also.
> > Like,
> >       idmap config HOSTNAME : backend = tdb
> >       idmap config HOSTNAME : range = 3000-9999
> > ! But I cant confirm about the "HOSTNAME" part if thats 100% correct.
>
> It probably would work, but I have never tried it.
>

As I said above, I think the "HOSTNAME" domain from wbinfo --all-domains is
for users and groups from local files (/etc/passwd and /etc/group). As
already said, I could be wrong.


>
> >
> > Id 0-1999   (local linux users) 0-999 for system users (*this can
> > differ on an other os. ) 2000-2999    BUILDIN\......   ( example
> > is BUILDIN\administrators) 3000-9999  HOSTNAME\ ?
> > 10000-99999   NTDOM\users  i start here at 10.000 because samba
> > backend AD starts also at 10.000.
> >
> > Now "NTDOM\Domain Admins" is member of : BUILDIN\administrators
> > And "NTDOM\Domain users" is member of : BUILDIN\users
> >
> > SePrivileges should be set on : BUILDIN\administrators, and not as
> > most examples show "domain admins" And because of this you should
> > always set : winbind expand groups = 2 But I preffer winbind expand
> > groups = 4 Backtrace for example very thing backup related and see
> > which groups are used and with SePrivileges you should set.
>
> Never tried this, but you are quite correct, you should NEVER give
> 'Domain Admins' a gidNumber. I do it another way, I create a group
> 'Unix Admins', give this group a gidNumber and add this to 'Domain
> Admins'
>

I don't follow you both on that. I mean I don't understand what could be
the issue.

And using idmap-rid it is just impossible (according to my little knowledge
of Samba) to avoid giving UID or GID: if a user or group exists, it will
have a UID or GID using object's RID + low number of domain range from
"idmap config" config line.

So if there is some issue about giving "domain admins" a GID, I'd be glad
to understand it ;)


>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list