[Samba] wbinfo -U id gives different users on same dc
Rowland Penny
rpenny at samba.org
Tue Feb 13 14:20:00 UTC 2018
On Tue, 13 Feb 2018 15:52:13 +0200
Özkan Göksu <ozkan.goksu at usishi.com> wrote:
> Thank you for reply Rowland.
>
> Sorry for my typo. I intended to change sm--to-->test but i forget to
> change other lines.
> So my original config is below:
>
> workgroup = sm
> > realm = sm.pvt
> > server string = %h Test Host
> > security = ads
> > encrypt passwords = yes
> > idmap config sm.pvt : backend = ad
> > idmap config sm.pvt : range = 10000-20000
> > idmap config sm.pvt : schema_mode = rfc2307
> > idmap config * : range = 8000-9000
>
>
> Honestly I am not sure about using ads backend at all. I have read
> samba documents. As rid backend use local database and it may get
> corrupted, I chose ad backend.
> On the other hand I should not install any extensions on Windows
> Active Directory server. Samba documents tells something about
> installing unix extensions but as far as I see this is not a must for
> ads.
>
> So it would be best if someone could help me understanding about rid
> vs ads. I suspect my problem depends on it.
>
OK, if you cannot add anything to AD, then you cannot use the winbind
'ad' backend, so you will have to use the 'rid' backend.
The 'rid' backend does not use a local database, it use the AD
database. The users (or groups) ID is calculated from the AD objectsid,
this will be in the form:
S-1-5-21-1768301897-3342589593-1064908849-2130
The last portion is the RID '2130' and is unique in the domain, the
rest identifies the domain.
The winbind 'rid' calculates the ID from the RID and the lower range
you set in AD with this calculation:
ID = RID - BASE_RID + LOW_RANGE_ID
BASE_RID is 0, so it is really:
ID = RID + LOW_RANGE_ID
So, using your lower range and the RID from above, it becomes
ID = 2130 + 10000
ID = 12130
If you use the same smb.conf on all Unix domain members in the domain,
you will always get the same Unix ID.
Rowland
More information about the samba
mailing list