[Samba] idmap_ad overlap with domain and sub-domain overlap
rpenny at samba.org
Wed Apr 18 15:13:32 UTC 2018
On Wed, 18 Apr 2018 10:52:12 -0400
Wvu Hpc <wvu.hpc at gmail.com> wrote:
> Hi Rowland,
> Thanks for the help and ideally I would like to get rid of the sub
> domain all together but that is probably not going to happen.
> So couple comments and please forgive any of my ignorance.
> For your second question, all users in the subdomain who have access
> to the SAMBA server do have uidNumber set and it matches the
> uidNumber set in MASTER. Since this is the case, would the
> overlapping ranges be OK? I saw this post (
> and thought it might indicate it is OK but was not sure?
Yes I know what it says there, but 'man idmap_ad' still says the ranges
mustn't overlap (okay, is says 'disjoint', but this the same thing)
> For 'winbind use default domain = Yes' I thought this would assume the
> default domain for ssh logins as being the master since I have "idmap
> config MASTER:default = yes". Appears to work as it allows users to
> login without having to specify a domain. Although, if a user from
> the SUB domain logs in they must specify the SUB\user to login. Is
> that incorrect? If I remove use default = yes, users of MASTER must
> also specify their domain during login ... at least that is how it
> seemed during testing?
Setting 'winbind use default domain = yes' means that all your users
will be treated as being members of the 'MASTER' domain, now this might
seem to work for you, but I think it is going to end in tears ;-)
When it comes down to it, they are your domains and you can do as you
wish, all I can say is that I would find another of doing it.
More information about the samba