[Samba] idmap_ad overlap with domain and sub-domain overlap

Wvu Hpc wvu.hpc at gmail.com
Wed Apr 18 15:15:57 UTC 2018


Thanks Rowland ... I going to follow your guidance and push towards having
a different range for the sub domain.  Much appreciate your responses!

On Wed, Apr 18, 2018 at 11:13 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Wed, 18 Apr 2018 10:52:12 -0400
> Wvu Hpc <wvu.hpc at gmail.com> wrote:
>
> > Hi Rowland,
> >
> > Thanks for the help and ideally I would like to get rid of the sub
> > domain all together but that is probably not going to happen.
> >
> > So couple comments and please forgive any of my ignorance.
>
> No problem.
>
> >
> > For your second question, all users in the subdomain who have access
> > to the SAMBA server do have uidNumber set and it matches the
> > uidNumber set in MASTER.  Since this is the case, would the
> > overlapping ranges be OK?  I saw this post (
> > https://lists.samba.org/archive/samba-technical/2016-
> December/117567.html)
> > and thought it might indicate it is OK but was not sure?
>
> Yes I know what it says there, but 'man idmap_ad' still says the ranges
> mustn't overlap (okay, is says 'disjoint', but this the same thing)
>
> >
> > For 'winbind use default domain = Yes' I thought this would assume the
> > default domain for ssh logins as being the master since I have "idmap
> > config MASTER:default = yes".  Appears to work as it allows users to
> > login without having to specify a domain.  Although, if a user from
> > the SUB domain logs in they must specify the SUB\user to login.  Is
> > that incorrect?  If I remove use default = yes, users of MASTER must
> > also specify their domain during login ... at least that is how it
> > seemed during testing?
> >
>
> Setting 'winbind use default domain = yes' means that all your users
> will be treated as being members of the 'MASTER' domain, now this might
> seem to work for you, but I think it is going to end in tears ;-)
>
> When it comes down to it, they are your domains and you can do as you
> wish, all I can say is that I would find another of doing it.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list