[Samba] Corrupted idmap...

Ryan Ashley ryana at reachtechfp.com
Tue Jan 17 18:14:43 UTC 2017 

The NAS in question is a QNAP. Great NAS, but it was recommended to use
NIS attributes to us so we used them. How can I correct all of this
since nothing can authenticate now? Start a new domain?

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/17/2017 10:57 AM, Rowland Penny via samba wrote:
> On Tue, 17 Jan 2017 10:04:23 -0500
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
> 
> Firstly , 'gencache_notrans.tdb' is a cache file and is recreated when
> Samba is restarted.
> 
>> Rowland, I was just reading over another thread on this list about the
>> inability to access group policy from client machines. The user did
>> not have the symlinks setup (I do) but one thing you mentioned was
>> using the NIS attributes to set UID/GID numbers for the domain. You
>> said we should not do this for certain users and groups, but there is
>> no mention of this in the guides to setting up an AD DC, so I have
>> always done it. We do this to make our Linux-based NAS devices work.
> 
> The only only windows group that needs a gidNumber attribute is Domain
> Users and then only when you use the windbind 'ad' backend on a domain
> member. the other windows groups don't need a gidNumber, in fact, as
> Domain Admins needs to own directories in sysvol, you definitely
> shouldn't give this group a gidNumber.
> If you have to set up Samba this way because of your NAS, I would look
> closely at your NAS ;-)
>  
>>
>> Furthermore, you recommended the user use the idmap lines to ensure
>> consistent UID/GID numbers across devices, yet you suggested I turn
>> the exact same lines off in my config. Why is this? I understand our
>> situations are different, but when should we set winbind to use the AD
>> backend and set UID/GID numbers? How do do this so Linux-base file
>> services can be accessed by users and come out the same?
> 
> You are mixing up idmap on a DC and a Unix domain member. On a DC,
> idmapping is done in idmap.ldb, users & groups are allocated an
> xidNumber in the '3000000' range, the number allocated is on the next
> number available basis, apart from 'Administrator', 'Domain Users' and
> 'nobody' which get '0', '100' and '65534'.
> 
> On a Unix domain member, the two main ways of setting up idmapping is
> with the winbind 'rid' and 'ad' backends. The 'rid' backends calculates
> an ID from the windows RID, so you don't have to add anything to AD.
> This means that whilst, by using the 'rid' backend, you will get the
> same ID on every Unix domain member, it will still be different from
> the ID on a DC (and the ID will probably be different on other DCs).
> 
> The only way to get the same ID everywhere is to use the 'ad' backend,
> If you give a user a uidNumber and run 'net cache flush', this will be
> used instead of the xidNumber without modifying smb.conf in any way.
> On a Unix domain member it is different, you need to add something
> like this:
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     ## map ids from the domain  the ranges may not overlap !
>     idmap config SAMDOM : backend = ad
>     idmap config SAMDOM : schema_mode = rfc2307
>     idmap config SAMDOM : range = 10000-999999
> 
> Now provided that the uidNumber attributes you have added are between
> 10000 and 999999 AND you have given Domain users a gidNumber in the
> same range, getent will display info for your users.
> 
> Now somebody (and I know who) recommended adding those lines to the
> smb.conf, but they do nothing on a DC, well they didn't until 4.5.0
> came out and then they started causing errors, so bottom line, don't add
> them to a Samba AD DC smb.conf
> 
> Rowland
> 
>

More information about the samba mailing list