[Samba] wbinfo -U id gives different users on same dc

Özkan Göksu ozkan.goksu at usishi.com
Wed Feb 14 14:30:07 UTC 2018 

RID solved my problem. But while reading docs I saw new things and I
changed my smb.conf completely.
I have read almost every parameter but i'm still not %100 sure.
Can you do me a last favor?
Please can you tell me do I have any problem with new smb.conf?

Kernel: Linux 4.14.13-1-ARCH
Filesystem: zfs-linux 0.7.5.4.14.13.1-1

Thank you so much for your help.

---------------------
[global]
    netbios name = DEV1
    server string = %h Test Host
    workgroup = SM
    realm = SM.PVT
    security = ADS
    server role = member server

    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000

    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = yes
    winbind refresh tickets = yes

    idmap config SM: backend = rid
    idmap config SM: range = 20000-90000000

    encrypt passwords = yes
    dns proxy = no
    strict locking = Auto
    oplocks = yes
    deadtime = 15

    logging = file
    max log size = 51200
    log level = 2

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    unix charset = UTF-8
    case sensitive = auto

    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    ntlm auth = no
    allow trusted domains = no
    client ntlmv2 auth = yes

    kernel change notify = yes
    panic action = /usr/bin/samba-backtrace
    dns update command = /usr/sbin/samba_dnsupdate
    acl allow execute always = true
    dos filemode = yes
    multicast dns register = no
    domain logons = no
    client use spnego = yes

    local master = no
    domain master = no
    preferred master = no

    template shell = /bin/sh
    template homedir = /home/%D/%U


    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
    min receivefile size = 16384

    max xmit = 65536
    max open files = 232040
    strict sync = no

[test]
    comment = test
    path = /ssdhavuz/test
    guest ok =no
    browseable = yes
    writeable = yes
    hide dot files = yes
    veto files = /.snapshot/.windows/.mac/.zfs/
    use sendfile = no
    acl group control = yes
    map acl inherit = yes
    inherit owner = yes
    inherit permissions = yes
    inherit acls = yes
    vfs objects = acl_xattr streams_xattr aio_pthread
    acl_xattr:ignore system acls = yes
    aio_pthread:aio num threads = 500





2018-02-13 16:20 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Tue, 13 Feb 2018 15:52:13 +0200
> Özkan Göksu <ozkan.goksu at usishi.com> wrote:
>
> > Thank you for reply Rowland.
> >
> > Sorry for my typo. I intended to change  sm--to-->test but i forget to
> > change other lines.
> > So my original config is below:
> >
> >         workgroup = sm
> > >         realm = sm.pvt
> > >         server string = %h Test Host
> > >         security = ads
> > >         encrypt passwords = yes
> > >         idmap config sm.pvt : backend = ad
> > >         idmap config sm.pvt : range = 10000-20000
> > >         idmap config sm.pvt : schema_mode = rfc2307
> > >         idmap config * : range = 8000-9000
> >
> >
> > Honestly I am not sure about using ads backend at all. I have read
> > samba documents. As rid backend use local database and it may get
> > corrupted, I chose ad backend.
> > On the other hand I should not install any extensions on Windows
> > Active Directory server. Samba documents tells something about
> > installing unix extensions but as far as I see this is not a must for
> > ads.
> >
> > So it would be best if someone could help me understanding about rid
> > vs ads. I suspect my problem depends on it.
> >
>
> OK, if you cannot add anything to AD, then you cannot use the winbind
> 'ad' backend, so you will have to use the 'rid' backend.
>
> The 'rid' backend does not use a local database, it use the AD
> database. The users (or groups) ID is calculated from the AD objectsid,
> this will be in the form:
>
> S-1-5-21-1768301897-3342589593-1064908849-2130
>
> The last portion is the RID '2130' and is unique in the domain, the
> rest identifies the domain.
>
> The winbind 'rid' calculates the ID from the RID and the lower range
> you set in AD with this calculation:
>
> ID = RID - BASE_RID + LOW_RANGE_ID
>
> BASE_RID is 0, so it is really:
>
> ID = RID + LOW_RANGE_ID
>
> So, using your lower range and the RID from above, it becomes
>
> ID = 2130 + 10000
>
> ID = 12130
>
> If you use the same smb.conf on all Unix domain members in the domain,
> you will always get the same Unix ID.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list