[Samba] Tracing the consequences of overlapped id mappings

Taner Tas taner76 at gmail.com
Tue Jul 24 14:43:44 UTC 2018 

Hi,

I'm trying to find out consequences of overlapped idmap settings that 
used with 4.3.11 DC's. I'm about to upgrade these DC's to 4.8 version. 
Before deploying new DCs, I want to make sure that any side effects 
regarding id map settings will be left behind.

# ldbsearch -H /var/lib/samba/private/idmap.ldb | grep xidNumber \
| cut -d' ' -f2 | sort

0
100
3000000
3000001
3000002
3000003
3000004
3000005
3000006
3000007
3000008
3000009
3000010
3000011
.
.
3000180
3000181
3000182
3000183
3000184
3000185
3000186
3000187
3000188
65534

So, xidNumber values starting at 3000000 except 0,100,65534 which are 
expected values for Administrator, Users group and nobody. Since all 
other ID's are in regular pace (and no duplicates), can we conclude that 
DCs didn't respect idmap range settings at all? So I can continue to use 
same idmap.ldb file after discarding all idmap config settings without 
any worry?

# cat /etc/samba/smb.conf
[global]
     workgroup = TESTDOMAIN
     realm = TESTDOMAIN.LOCAL.TLD
     netbios name = DC1
     server role = active directory domain controller
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
     tls enabled = yes
     tls keyfile = tls/key.pem
     tls certfile = tls/cert.pem
     tls cafile = tls/ca.pem

     idmap_ldb:use rfc2307 = yes
     idmap config *:backend = tdb
     idmap config *:range = 10000-99999
     idmap config TESTDOMAIN : backend = ad
     idmap config TESTDOMAIN : range = 10000-99999
     idmap config TESTDOMAIN : schema_mode = rfc2307
     winbind enum users = yes
     winbind enum groups = yes
     winbind use default domain = yes
     winbind nested groups = yes
     winbind nss info = rfc2307
     winbind refresh tickets = yes
     winbind offline logon = true
     template homedir = /home/%D/%U
     template shell = /bin/false
     ntlm auth = yes
     client use spnego = yes
     client ntlmv2 auth = yes
     encrypt passwords = yes
     restrict anonymous = 2
     log file = /var/log/samba/samba.log
     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes

[netlogon]
      path = /var/lib/samba/sysvol/testdomain.local.tld/scripts
      read only = No

[sysvol]
      path = /var/lib/samba/sysvol
      read only = No

Thanks.

More information about the samba mailing list