[Samba] id map range overlap

Rowland penny rpenny at samba.org
Mon Dec 23 10:37:38 UTC 2019


On 23/12/2019 09:46, Michael Hierweck via samba wrote:
> Hi all,
>
> I'm using Samba (AD) under Debian Buster.
>
> Testparm tells me the idmap of TDB and AD would overlap.
> However the configured range don't.
>
> Thanks in advance,
>
> Michael
>
>
>
> # testparm
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> ERROR: The idmap range for the domain * (tdb) overlaps with the range of KLEY (ad)!
>
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> 	dns forwarder = 192.168.100.250
> 	passdb backend = samba_dsdb
> 	realm = KLEY.HIERWECK.DE
> 	server role = active directory domain controller
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind nss info = rfc2307
> 	workgroup = KLEY
> 	rpc_server:tcpip = no
> 	rpc_daemon:spoolssd = embedded
> 	rpc_server:spoolss = embedded
> 	rpc_server:winreg = embedded
> 	rpc_server:ntsvcs = embedded
> 	rpc_server:eventlog = embedded
> 	rpc_server:srvsvc = embedded
> 	rpc_server:svcctl = embedded
> 	rpc_server:default = external
> 	winbindd:use external pipes = true
> 	idmap config kley : range = 100-9999
> 	idmap config kley : schema_mode = rfc2307
> 	idmap config kley : unix_primary_group = yes
> 	idmap config kley : unix_nss_info = yes
> 	idmap config kley : backend = ad
> 	idmap config kley : default = yes
> 	idmap config * : range = 10000-999999999
> 	idmap_ldb:use rfc2307 = yes
> 	idmap config * : backend = tdb
> 	map acl inherit = Yes
> 	map archive = No
> 	vfs objects = acl_xattr
>
>
> [netlogon]
> 	path = /var/lib/samba/sysvol/kley.hierweck.de/scripts
> 	read only = No
>
>
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
>
> [...]
>
Hmm, you shouldn't use 'testparm' on a Samba AD DC, you should use 
'samba-tool testparm, but having said that, perhaps it should have 
printed a better error message, something like:

You have set up your Active Directory Domain controller smb.conf 
incorrectly ;-)

If the following lines are in your smb.conf, I would suggest you remove 
them:

     passdb backend = samba_dsdb
     winbind enum groups = Yes
     winbind enum users = Yes
     winbind nss info = rfc2307
     rpc_server:tcpip = no
     rpc_daemon:spoolssd = embedded
     rpc_server:spoolss = embedded
     rpc_server:winreg = embedded
     rpc_server:ntsvcs = embedded
     rpc_server:eventlog = embedded
     rpc_server:srvsvc = embedded
     rpc_server:svcctl = embedded
     rpc_server:default = external
     winbindd:use external pipes = true
     idmap config kley : range = 100-9999
     idmap config kley : schema_mode = rfc2307
     idmap config kley : unix_primary_group = yes
     idmap config kley : unix_nss_info = yes
     idmap config kley : backend = ad
     idmap config kley : default = yes
     idmap config * : range = 10000-999999999
     map acl inherit = Yes
     map archive = No
     vfs objects = acl_xattr

Rowland





More information about the samba mailing list