[Samba] Tracing the consequences of overlapped id mappings

Rowland Penny rpenny at samba.org
Tue Jul 24 15:04:29 UTC 2018


On Tue, 24 Jul 2018 17:43:44 +0300
Taner Tas via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> I'm trying to find out consequences of overlapped idmap settings that 
> used with 4.3.11 DC's. I'm about to upgrade these DC's to 4.8
> version. Before deploying new DCs, I want to make sure that any side
> effects regarding id map settings will be left behind.
> 
> # ldbsearch -H /var/lib/samba/private/idmap.ldb | grep xidNumber \
> | cut -d' ' -f2 | sort
> 
> 0
> 100
> 3000000
> 3000001
> 3000002
> 3000003
> 3000004
> 3000005
> 3000006
> 3000007
> 3000008
> 3000009
> 3000010
> 3000011
> .
> .
> 3000180
> 3000181
> 3000182
> 3000183
> 3000184
> 3000185
> 3000186
> 3000187
> 3000188
> 65534
> 
> So, xidNumber values starting at 3000000 except 0,100,65534 which are 
> expected values for Administrator, Users group and nobody. Since all 
> other ID's are in regular pace (and no duplicates), can we conclude
> that DCs didn't respect idmap range settings at all? So I can
> continue to use same idmap.ldb file after discarding all idmap config
> settings without any worry?
> 
> # cat /etc/samba/smb.conf
> [global]
>      workgroup = TESTDOMAIN
>      realm = TESTDOMAIN.LOCAL.TLD
>      netbios name = DC1
>      server role = active directory domain controller
>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>      tls enabled = yes
>      tls keyfile = tls/key.pem
>      tls certfile = tls/cert.pem
>      tls cafile = tls/ca.pem
> 
>      idmap_ldb:use rfc2307 = yes
>      idmap config *:backend = tdb
>      idmap config *:range = 10000-99999
>      idmap config TESTDOMAIN : backend = ad
>      idmap config TESTDOMAIN : range = 10000-99999
>      idmap config TESTDOMAIN : schema_mode = rfc2307
>      winbind enum users = yes
>      winbind enum groups = yes
>      winbind use default domain = yes
>      winbind nested groups = yes
>      winbind nss info = rfc2307
>      winbind refresh tickets = yes
>      winbind offline logon = true
>      template homedir = /home/%D/%U
>      template shell = /bin/false
>      ntlm auth = yes
>      client use spnego = yes
>      client ntlmv2 auth = yes
>      encrypt passwords = yes
>      restrict anonymous = 2
>      log file = /var/log/samba/samba.log
>      vfs objects = acl_xattr
>      map acl inherit = yes
>      store dos attributes = yes
> 
> [netlogon]
>       path = /var/lib/samba/sysvol/testdomain.local.tld/scripts
>       read only = No
> 
> [sysvol]
>       path = /var/lib/samba/sysvol
>       read only = No
> 
> Thanks.
> 

You are making the same mistake that lots of people make, you are
confusing a DC smb.conf with a Unix domain member one ;-)

Or to put it another way, remove all these lines, they are either
defaults or have absolutely no place in a DC smb.conf:

     tls enabled = yes
     tls keyfile = tls/key.pem
     tls certfile = tls/cert.pem
     tls cafile = tls/ca.pem

     idmap config *:backend = tdb
     idmap config *:range = 10000-99999
     idmap config TESTDOMAIN : backend = ad
     idmap config TESTDOMAIN : range = 10000-99999
     idmap config TESTDOMAIN : schema_mode = rfc2307
     winbind enum users = yes
     winbind enum groups = yes
     winbind use default domain = yes
     winbind nested groups = yes
     winbind nss info = rfc2307
     winbind refresh tickets = yes
     winbind offline logon = true
     client use spnego = yes
     client ntlmv2 auth = yes
     encrypt passwords = yes
     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes

idmap works differently on a DC from a Unix domain member.

Rowland



More information about the samba mailing list