[Samba] Samba 4.6.5-Debian, authentication on a mix workgroup+domain
L.P.H. van Belle
belle at bazuin.nl
Mon Jul 31 10:11:40 UTC 2017
In addition.
You may write anything you want, but.
I would suggest the following, base on :
https://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2.2
Your "MYDOMAIN" range is in a danger zone, and the * range is in a reserved range.
In my opinion, its better fix this now the best you can, which means re-apply the user/group rights.
This is why i use these layout on all my servers.
Idmap config *: backend = tdb
Idmap config *: range = 1999-9999
Idmap config MYDOMAIN: backend = ad
Idmap config MYDOMAIN: range = 10000-99999
All ranges are in a safe range. ( depending on the size of AD / number of users/groups )
By default samba AD starts at 10000, so i matched that also.
I know this is a pain in the .... But (lol, still funny).. ;-)
The longer you wait, the more problems you wil hit in the future.
And.. What Rowland did say.. ;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: maandag 31 juli 2017 12:04
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.6.5-Debian, authentication on
> a mix workgroup+domain
>
> On Mon, 31 Jul 2017 11:38:23 +0200
> Marc-Henri Pamiseux via samba <samba at lists.samba.org> wrote:
>
> > Hi Louis,
> >
> > Do the default idmap values must precede the idmap values of the
> > MYDOMAIN domain? May I write something like:
> > Idmap config *: backend = tdb
> > Idmap config *: range = 65000-65535
> > Idmap config MYDOMAIN: backend = ad
> > Idmap config MYDOMAIN: range = 500-3999
>
> You can do it like that, in fact quite a lot of people do,
> but what happens when you have got to user ID 64999 and you
> want to add another user. It is easy to raise the last number
> in the 'MYDOMAIN' range, but the ranges must not overlap.
>
> >
> > I think there is a problem in using nobody for the guest account
> > directive while its user ID is 65534.
>
> Well spotted, somebody, somewhere made a bad decision when
> they gave that ID to 'nobody'. You will just have to work around it.
>
> >
> > As Rowland mention in 2017-07-25 :
> > "You now need to give your users a gidNumber containing the Unix ID
> > number of a group and the group would have to have a gidNumber
> > attribute containing the same number."
> >
> > So, does it mean that user nobody who's gidNumber is
> > "nogroup:x:65534:" need to be included in this mapping ?
> Should it be
> > as default mapping or as domain mapping ?
>
> No, 'nobody' is a Unix user and Samba maps the Windows user
> 'Guest' to 'nobody'
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list