[Samba] Tracing the consequences of overlapped id mappings
Rowland Penny
rpenny at samba.org
Tue Jul 24 15:04:29 UTC 2018
On Tue, 24 Jul 2018 17:43:44 +0300
Taner Tas via samba <samba at lists.samba.org> wrote:
> Hi,
>
> I'm trying to find out consequences of overlapped idmap settings that
> used with 4.3.11 DC's. I'm about to upgrade these DC's to 4.8
> version. Before deploying new DCs, I want to make sure that any side
> effects regarding id map settings will be left behind.
>
> # ldbsearch -H /var/lib/samba/private/idmap.ldb | grep xidNumber \
> | cut -d' ' -f2 | sort
>
> 0
> 100
> 3000000
> 3000001
> 3000002
> 3000003
> 3000004
> 3000005
> 3000006
> 3000007
> 3000008
> 3000009
> 3000010
> 3000011
> .
> .
> 3000180
> 3000181
> 3000182
> 3000183
> 3000184
> 3000185
> 3000186
> 3000187
> 3000188
> 65534
>
> So, xidNumber values starting at 3000000 except 0,100,65534 which are
> expected values for Administrator, Users group and nobody. Since all
> other ID's are in regular pace (and no duplicates), can we conclude
> that DCs didn't respect idmap range settings at all? So I can
> continue to use same idmap.ldb file after discarding all idmap config
> settings without any worry?
>
> # cat /etc/samba/smb.conf
> [global]
> workgroup = TESTDOMAIN
> realm = TESTDOMAIN.LOCAL.TLD
> netbios name = DC1
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> tls enabled = yes
> tls keyfile = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile = tls/ca.pem
>
> idmap_ldb:use rfc2307 = yes
> idmap config *:backend = tdb
> idmap config *:range = 10000-99999
> idmap config TESTDOMAIN : backend = ad
> idmap config TESTDOMAIN : range = 10000-99999
> idmap config TESTDOMAIN : schema_mode = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind nested groups = yes
> winbind nss info = rfc2307
> winbind refresh tickets = yes
> winbind offline logon = true
> template homedir = /home/%D/%U
> template shell = /bin/false
> ntlm auth = yes
> client use spnego = yes
> client ntlmv2 auth = yes
> encrypt passwords = yes
> restrict anonymous = 2
> log file = /var/log/samba/samba.log
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/testdomain.local.tld/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> Thanks.
>
You are making the same mistake that lots of people make, you are
confusing a DC smb.conf with a Unix domain member one ;-)
Or to put it another way, remove all these lines, they are either
defaults or have absolutely no place in a DC smb.conf:
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
idmap config *:backend = tdb
idmap config *:range = 10000-99999
idmap config TESTDOMAIN : backend = ad
idmap config TESTDOMAIN : range = 10000-99999
idmap config TESTDOMAIN : schema_mode = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
winbind offline logon = true
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
idmap works differently on a DC from a Unix domain member.
Rowland
More information about the samba
mailing list