[Samba] Tracing the consequences of overlapped id mappings
Taner Tas
taner76 at gmail.com
Tue Jul 24 14:43:44 UTC 2018
Hi,
I'm trying to find out consequences of overlapped idmap settings that
used with 4.3.11 DC's. I'm about to upgrade these DC's to 4.8 version.
Before deploying new DCs, I want to make sure that any side effects
regarding id map settings will be left behind.
# ldbsearch -H /var/lib/samba/private/idmap.ldb | grep xidNumber \
| cut -d' ' -f2 | sort
0
100
3000000
3000001
3000002
3000003
3000004
3000005
3000006
3000007
3000008
3000009
3000010
3000011
.
.
3000180
3000181
3000182
3000183
3000184
3000185
3000186
3000187
3000188
65534
So, xidNumber values starting at 3000000 except 0,100,65534 which are
expected values for Administrator, Users group and nobody. Since all
other ID's are in regular pace (and no duplicates), can we conclude that
DCs didn't respect idmap range settings at all? So I can continue to use
same idmap.ldb file after discarding all idmap config settings without
any worry?
# cat /etc/samba/smb.conf
[global]
workgroup = TESTDOMAIN
realm = TESTDOMAIN.LOCAL.TLD
netbios name = DC1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
idmap_ldb:use rfc2307 = yes
idmap config *:backend = tdb
idmap config *:range = 10000-99999
idmap config TESTDOMAIN : backend = ad
idmap config TESTDOMAIN : range = 10000-99999
idmap config TESTDOMAIN : schema_mode = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
winbind offline logon = true
template homedir = /home/%D/%U
template shell = /bin/false
ntlm auth = yes
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba/samba.log
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[netlogon]
path = /var/lib/samba/sysvol/testdomain.local.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Thanks.
More information about the samba
mailing list