[Samba] Corrupted idmap...

[Rowland Penny]

On Thu, 19 Jan 2017 08:32:02 -0500
Ryan Ashley via samba <samba at lists.samba.org> wrote:

> OK, so since it appears our only recourse is to build a new domain
> from scratch, how can we prevent this from happening again? We have
> several Gentoo workstations, a bunch of Windows 7 workstations, and a
> few NAS devices which run Linux of some flavor. How do we use NIS
> attributes without killing our domain? The Samba guide even has
> instructions for using ADUC to set the UID/GID for users and groups.
> You stated I should only set a GID for "Domain Users", but what about
> other AD security groups we create? This is a tad confusing since I
> thought NIS was needed for our Linux systems and the NAS devices.
> 

OK, if you use the winbind 'ad' backend on Unix domain members, you
need to give the Windows group, that the users 'primaryGroupID'
attribute points to, a gidNumber. The 'primaryGroupID' usually points
to '513', which is the RID for Domain Users. If you do not give the
users primary group a gidnumber, the winbind 'ad' backend will ignore
all users, even if you have given every user a uidNumber.
This is the only group that you must give a gidNumber to if you're
using the winbind 'ad' backend on Unix domain members.

If you don't use the winbind 'ad' backend, then you do not need to add
anything to users and groups in AD.

If you do use the winbind 'ad' backend, then any of the Well Known SIDs 
will be mapped via the '*' domain lines in smb.conf on the domain
members.

If you create any users or groups and you want them to be visible on
Unix domain members, you will need to give them a uidNumber or
gidNumber 

Some people give Domain Admins a gidNumber, I cannot advise doing this.
This is because windows has the concept of a group owning directories
and files. On Unix, only a user can own directories and files and Domain
Admins needs to own Directories in sysvol.

I hope this helps, but as always, any questions, just ask.

Rowland