[Samba] Classicupgrade : was id maping

Rowland Penny rpenny at samba.org
Mon Feb 20 13:30:40 UTC 2017

On Mon, 20 Feb 2017 12:40:00 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:

> Well it would, Domain Users seems to have the gidNuber '513' and this
> is lower than your lower domain setting '4000'

I am beginning to wonder if upgrading an NT4-style PDC to a DC is a
good idea.

Linux starts its normal user base at '1000' (and yes, red-hat used to
start at 500) and it has been like this for a long time. Samba allowed
Domain user & group RIDs to be used for u/gidNumbers, this was a stupid
idea in my opinion.

'Domain Users' is 513 
'Domain Admins' is 512

So we now have the problem that a user is trying to setup a 'idmap
config' line in smb.conf on a domain member, he is going to have to
use something like this:

	idmap config DOMAIN: range = 500-999999

Which means that he cannot have any local Unix users at all, so what
happens if something goes wrong with Samba on that domain member and
root login is disabled except at the console and the console isn't
easily accessible ?

Should we be recommending setting up a new domain instead of upgrading
the old PDC, or changing any low u/gidNumbers ??? or what ???


More information about the samba mailing list