[Samba] idmap limit?

[insrc]

On Fri, Jan 19, 2018 at 12:40 PM, Andreas Hauffe via samba <
samba at lists.samba.org> wrote:

> Hi,


Hi Andreas,
My apologies for being so late to thank you for your helpfull tips :-/ I
was a bit buzzy @ work and forgot to stay up to date with the mailing list


> yes, there are some things. But I have not found a nice complete
> documentation.
>
>
It's at least nice to know that this kind of basic trust relationship works
and seems to  work relatively well (if i'm not mistaken) :-)
The little bit of info about trust relationship support on the wiki is a
bit more scary
https://wiki.samba.org/index.php/FAQ#Does_Samba_AD_Supports_Trust_Relationship.3F
:-)


> One main point is the domain name as prefix of the username of the parent
> domain, e.g. "DOM\user1", you have to use. I was not able to get rid of it,
> as the client is member of the subdomain which is the default. So you can't
> use the "default domain" option in smb.conf. The backslash in the user name
> is a problem for some software, but other signs can be also a problem for
> other software.
>
> In krb5.conf you need a [realm] section, with rewrites (auth_to_local)
> rule for the principal names to local user names. All is quite simple, if
> you know the fact. Only with that you get kerberized services running.
>
> On Debian 9 file server (member server of the domain) I was not able to
> get NFS4 with Kerberos working until I changed from the default rpc.svcgssd
> to gssproxy for the NFS service. The first was working for subdomain user,
> but in case of parent domain user the rpc.svcgssd process got to 100% CPU
> load and a soft lockup of the kernel. With gsproxy and no other changes all
> is fine.
>
> These few things took me a lot of time.
>
> Andreas
>
> Thanks a lot ! I really appreciate it
Hope that i'll be able to add some information about this on the wiki as
soon as i'll get to testing this feature :-)

Regards,