[Samba] idmap limit?

insrc informatique.src at gmail.com
Fri Jan 19 10:50:02 UTC 2018 

Hi Andreas,

i'm sorry to jump on your thread as i can't really help you here.
But as i have to setup an AD subdomain of a parent domain with the same
requirements as yours apparently (aka parent domain managed by Windows
server holds users/groups accounts on a distant location but the compute
ressources and the GPO will be managed locally under a subdomain), i'm just
wondering if you find any good documentation to help you setup your AD
subdomain and if there's any gotcha to be aware of please :-) ?

I'm new to this and it seems that the official wiki don't have a lot
information on the current state of the "trust relationship" support on
Samba 4 or on how to setup a subdomain of a parent domain

Thanks a lot
Regards,



On Tue, Jan 16, 2018 at 5:49 PM, Andreas Hauffe via samba <
samba at lists.samba.org> wrote:

>
>
> Am 16.01.2018 um 17:26 schrieb Rowland Penny via samba:
>
>> On Tue, 16 Jan 2018 16:54:17 +0100
>> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>>
>> Ok, you are completely right. Here are the real numbers with changed
>>> user names:
>>>
>>> drwx------ 43 DOM\user1        DOM\domain-user  4096 Jan 10 08:00
>>> user1 drwx------   5 DOM\user2        DOM\domain-user  4096 Jan 11
>>> 08:13 user2 drwx------ 92 DOM\user3        DOM\domain-user   4096 Jan
>>> 16 08:39 user3 drwx------   3        133265        DOM\domain-user
>>> 4096 Sep  7 2015 user4 drwx------   7        470055
>>> DOM\domain-user   4096 Apr 30 2013 user5 drwx------ 12 DOM\user6
>>>         DOM\domain-user   4096 Jan  4 12:46 user6 drwx------ 51
>>> DOM\user7        DOM\domain-user   4096 Jan 15 23:01 user7
>>> drwx------   2          95092        DOM\domain-user   4096 Jul 1
>>> 2015 user8 drwx------  3 DOM\user9         DOM\domain-user   4096
>>> Jun  8 2015 user9 ....
>>> drwx------  7 DOM\user200    DOM\domain-user   4096 Nov  6  2012
>>> user200
>>>
>>>    > wbinfo --uid-info=133265
>>> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not get info for uid 133265
>>>
>>>    > wbinfo -i DOM\\user4
>>> DOM\user4:*:133265:10513::/home/user4:/bin/bash
>>>
>>> After the last command (wbinfo -i DOM\\user4) also "wbinfo
>>> --uid-info=133265" shows the correct result and the "ls -l" list also
>>> list the user name instead of the uid.
>>>
>>>
>>> One thing I have spotted:
>>
>> /etc/krb5.conf should be:
>>
>> [libdefaults]
>>       default_realm = DOM2.DOM.TU-DRESDEN.DE
>>       dns_lookup_realm = false
>>       dns_lookup_kdc = true
>>
>> What is 'DOM2' ?
>> Is it a trusted domain ?
>>
>> As I said, you are using the 'rid' backend and adding users to AD
>> shouldn't affect how winbind works. Your user 'user4' must have the RID
>> '123265' and so should be available as a Unix user.
>>
>> I take it that the Unix domain member is using the DC as its dnd
>> nameserver.
>>
>> Rowland
>>
>> Actually, it should be and is "DOM2.DOM.EXAMPLE.DE". And this domain
> (DOM2) is a subdomain of DOM.EXAMPLE.DE (bidirectional transitiv trust).
> At our university we have a parent domain "DOM.EXAMPLE.DE" were all the
> user accounts are hold/administered. Every department have a subdomain for
> their services. In our example case "DOM2.DOM.EXAMPLE.DE". The client and
> so the member server are member of "DOM2.DOM.EXAMPLE.DE". But most of the
> users are from "DOM.EXAMPLE.DE".
>
> And I checked, the RID of the user4 is 123265.
>
> Yes, the DC (actually both DCs) is the dns of the unix member server.
>
>
> --
> Viele Grüße
> Andreas Hauffe
> Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"
>
> ------------------------------------------------------------
> ----------------------------------------
> Technische Universität Dresden
> Institut für Luft- und Raumfahrttechnik / Institute of Aerospace
> Engineering
> Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering
>
> D-01062 Dresden
> Germany
>
> phone : +49 (351) 463 38496
> fax :  +49 (351) 463 37263
> mail : andreas.hauffe at tu-dresden.de
> Website : http://tu-dresden.de/mw/ilr/lft
> ------------------------------------------------------------
> ----------------------------------------
> Do you know our free laminate analysis code eLamX²? If not, please visit
> the following web address:
> http://www.elamx.de
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list