[Samba] idmap limit?
Rowland Penny
rpenny at samba.org
Tue Jan 16 17:19:44 UTC 2018
On Tue, 16 Jan 2018 17:49:55 +0100
Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>
>
> Am 16.01.2018 um 17:26 schrieb Rowland Penny via samba:
> > On Tue, 16 Jan 2018 16:54:17 +0100
> > Andreas Hauffe via samba <samba at lists.samba.org> wrote:
> >
> >> Ok, you are completely right. Here are the real numbers with
> >> changed user names:
> >>
> >> drwx------ 43 DOM\user1 DOM\domain-user 4096 Jan 10 08:00
> >> user1 drwx------ 5 DOM\user2 DOM\domain-user 4096 Jan 11
> >> 08:13 user2 drwx------ 92 DOM\user3 DOM\domain-user 4096
> >> Jan 16 08:39 user3 drwx------ 3 133265
> >> DOM\domain-user 4096 Sep 7 2015 user4 drwx------ 7 470055
> >> DOM\domain-user 4096 Apr 30 2013 user5 drwx------ 12 DOM\user6
> >> DOM\domain-user 4096 Jan 4 12:46 user6 drwx------ 51
> >> DOM\user7 DOM\domain-user 4096 Jan 15 23:01 user7
> >> drwx------ 2 95092 DOM\domain-user 4096 Jul 1
> >> 2015 user8 drwx------ 3 DOM\user9 DOM\domain-user 4096
> >> Jun 8 2015 user9 ....
> >> drwx------ 7 DOM\user200 DOM\domain-user 4096 Nov 6 2012
> >> user200
> >>
> >> > wbinfo --uid-info=133265
> >> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
> >> Could not get info for uid 133265
> >>
> >> > wbinfo -i DOM\\user4
> >> DOM\user4:*:133265:10513::/home/user4:/bin/bash
> >>
> >> After the last command (wbinfo -i DOM\\user4) also "wbinfo
> >> --uid-info=133265" shows the correct result and the "ls -l" list
> >> also list the user name instead of the uid.
> >>
> >>
> > One thing I have spotted:
> >
> > /etc/krb5.conf should be:
> >
> > [libdefaults]
> > default_realm = DOM2.DOM.TU-DRESDEN.DE
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > What is 'DOM2' ?
> > Is it a trusted domain ?
> >
> > As I said, you are using the 'rid' backend and adding users to AD
> > shouldn't affect how winbind works. Your user 'user4' must have the
> > RID '123265' and so should be available as a Unix user.
> >
> > I take it that the Unix domain member is using the DC as its dnd
> > nameserver.
> >
> > Rowland
> >
> Actually, it should be and is "DOM2.DOM.EXAMPLE.DE". And this domain
> (DOM2) is a subdomain of DOM.EXAMPLE.DE (bidirectional transitiv
> trust). At our university we have a parent domain "DOM.EXAMPLE.DE"
> were all the user accounts are hold/administered. Every department
> have a subdomain for their services. In our example case
> "DOM2.DOM.EXAMPLE.DE". The client and so the member server are member
> of "DOM2.DOM.EXAMPLE.DE". But most of the users are from
> "DOM.EXAMPLE.DE".
>
> And I checked, the RID of the user4 is 123265.
>
> Yes, the DC (actually both DCs) is the dns of the unix member server.
>
Everything seems to be okay, the only thing that jumps to mind is time,
are all the machines set to the same time plus or minus a few minutes ?
Rowland
More information about the samba
mailing list