[Samba] two domain members, different groupIDs
Rowland Penny
rpenny at samba.org
Thu Jun 22 08:44:01 UTC 2017
On Thu, 22 Jun 2017 10:12:41 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> 1)
>
> idmap config mydomain:schema_mode = rfc2307
> idmap config mydomain:range = 10000-99999
> idmap config mydomain:backend = rid
> idmap config *:range = 2000-9999
> idmap config * : backend = tdb
>
> # wbinfo --group-info=domänen-benutzer
> domänen-benutzer:x:10513:
>
> 2)
>
> idmap config * : range = 10001-20000
> idmap config domain : backend = rid
> idmap config domain : range = 10000-20000
> idmap config domain : base_rid = 0
> idmap config * : backend = tdb
>
> # wbinfo --group-info=domänen-benutzer
> domänen-benutzer:x:10008:
>
>
> I understand/assume that the different idmap configs might cause the
> mismatch in the mapped(?) groupids.
Oh definitely
>
> Can I fix that without breaking things?
If your users have files stored on the domain members, probably not.
>
> On which server?
>
Both !
Your 'idmap config' block on ALL Unix domain members needs to be
something like this:
idmap config * : backend = tdb
idmap config *:range = 2000-9999
idmap config domain : backend = rid
idmap config domain : range = 10000-99999
Your samba versions are not new enough to use 'idmap config
mydomain:schema_mode = rfc2307' and you wouldn't use it with the 'rid'
backend.
This is deprecated: 'idmap config domain : base_rid = 0' because '0' is
the default.
If you use something like the above on all Unix domain members, you
will always get the same IDs because the 'rid' backend calculates the
ID from the RID.
Rowland
More information about the samba
mailing list