[Samba] idmap_ad overlap with domain and sub-domain overlap
Rowland Penny
rpenny at samba.org
Wed Apr 18 14:38:25 UTC 2018
On Wed, 18 Apr 2018 10:02:53 -0400
Wvu Hpc via samba <samba at lists.samba.org> wrote:
> Hello,
>
> We are in process of providing access to a AD connected master domain
> and one its subdomains to one of our SAMBA 4.6.2 file-share servers.
> The samba server is a member of the MASTER domain. The problem is we
> have cases where the same person has an account in both the master
> domain and the sub domain (long story and we know it is not a good
> practice but something I am powerless to change). The person (see
> example below for further clarity) has the same unix attributes set
> in both the domain and sub-domain. When you run testparm it
> complains of having the range overlap but the config seems to be
> working OK. Is there any reason we should not go forward with this
> config or should we push back and make the users in the subdomain
> have the different uid and gid numbers from the master domain? The
> benefit of having the same uid and gid is we don't have to worry
> about changing file ownership if a user moves between domains.
>
> Example:
>
> MASTER\user : uidNumber = 10000 : gidNumber = 10000
> SUB\user : uidNumber = 10000 : gidNumber = 10000
>
> SMB Config:
>
> # Global parameters
> [global]
> workgroup = MASTER
> winbind use default domain = Yes
> idmap config MASTER:schema_mode = rfc2307
> idmap config MASTER:range = 9000-5000000000
> idmap config MASTER:default = yes
> idmap config MASTER:backend = ad
> idmap config SUB:schema_mode = rfc2307
> idmap config SUB:range = 9000-5000000000
> idmap config SUB:backend = ad
> idmap config * : backend = tdb
> idmap config *:range = 3000-8999
>
Firstly, you cannot use 'winbind use default domain = Yes' if you have
more than one domain in smb.conf.
Secondly, as you already know, you cannot the same range for both
domains. Yes I know that some of the users have the same uidNumber in
both domains, but what about the ones that don't ?
I would remove the 'winbind use default domain' line and then use the
'rid' backend for the 'SUB' domain with a different range:
idmap config SUB:range = 5000000001-10000000000
idmap config SUB:backend = rid
This will probably entail changing the ownership of files and dirs
You say you have no control of the domains, but I would be having
words with whoever does have control, mentioning words like 'stupid'
and 'idiot' ;-)
Rowland
More information about the samba
mailing list