[Samba] Samba 4.6.5-Debian, authentication on a mix workgroup+domain

L.P.H. van Belle belle at bazuin.nl
Mon Jul 31 10:11:40 UTC 2017


In addition. 

You may write anything you want, but. 

I would suggest the following, base on : 
https://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2.2 

Your "MYDOMAIN" range is in a danger zone, and the * range is in a reserved range.

In my opinion, its better fix this now the best you can, which means re-apply the user/group rights. 
This is why i use these layout on all my servers. 
Idmap config *: backend = tdb
Idmap config *: range = 1999-9999
Idmap config MYDOMAIN: backend = ad
Idmap config MYDOMAIN: range = 10000-99999

All ranges are in a safe range. ( depending on the size of AD / number of users/groups ) 
By default samba AD starts at 10000, so i matched that also. 

I know this is a pain in the .... But (lol, still funny)..  ;-)

The longer you wait, the more problems you wil hit in the future.


And.. What Rowland did say..  ;-) 

Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: maandag 31 juli 2017 12:04
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.6.5-Debian, authentication on 
> a mix workgroup+domain
> 
> On Mon, 31 Jul 2017 11:38:23 +0200
> Marc-Henri Pamiseux via samba <samba at lists.samba.org> wrote:
> 
> > Hi Louis,
> > 
> > Do the default idmap values must precede the idmap values of the 
> > MYDOMAIN domain? May I write something like:
> > Idmap config *: backend = tdb
> > Idmap config *: range = 65000-65535
> > Idmap config MYDOMAIN: backend = ad
> > Idmap config MYDOMAIN: range = 500-3999
> 
> You can do it like that, in fact quite a lot of people do, 
> but what happens when you have got to user ID 64999 and you 
> want to add another user. It is easy to raise the last number 
> in the 'MYDOMAIN' range, but the ranges must not overlap.
> 
> > 
> > I think there is a problem in using nobody for the guest account 
> > directive while its user ID is 65534.
> 
> Well spotted, somebody, somewhere made a bad decision when 
> they gave that ID to 'nobody'. You will just have to work around it.
> 
> > 
> > As Rowland mention in 2017-07-25 :
> > "You now need to give your users a gidNumber containing the Unix ID 
> > number of a group and the group would have to have a gidNumber 
> > attribute containing the same number."
> > 
> > So, does it mean that user nobody who's gidNumber is 
> > "nogroup:x:65534:" need to be included in this mapping ? 
> Should it be 
> > as default mapping or as domain mapping ?
> 
> No, 'nobody' is a Unix user and Samba maps the Windows user 
> 'Guest' to 'nobody'
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list