[Samba] Unterstanding idmap config
Rowland Penny
rpenny at samba.org
Fri Feb 3 16:20:14 UTC 2017
On Fri, 3 Feb 2017 17:06:07 +0100
basti via samba <samba at lists.samba.org> wrote:
> Hello,
> in my samba NT4 i have some low uid. Rowland Penny suggest to set it
> higher. So far OK.
>
> I config my AD member as followed:
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use an read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 1000-6999
>
>
> # idmap config for the SAMDOM domain
> idmap config foo:backend = ad
> idmap config foo:schema_mode = rfc2307
> idmap config foo:range = 7000-999999
>
> After I flush the cache with "net cache flash" i can see the same uid
> on my member as on my AD DC. so Far OK, that is what i would.
>
> The uid i see from LDAP is 1007.
>
> What does the config * mean?
> Why can I see a user with uid 1007 from domain when domain start at
> 7000?
>
The '*' domain is for what is known as the 'Well Known SIDs' and
anything not in the 'FOO' domain.
See here for the well Known SIDs:
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
You don't really need to see them, they are (mostly) not needed on a
Unix machine.
Rowland
More information about the samba
mailing list