[Samba] idmap problems
rpenny at samba.org
Wed Jan 2 15:12:05 UTC 2019
On Wed, 2 Jan 2019 14:42:39 +0000
Rob Mason <rob at acasta.co.uk> wrote:
> Many thanks Rowland. Yes, I don't understand idmaps, but I _think_
> I'm getting it. I have added the gid of 60002 for Domain Admins and
> undertaken some 'chgrp' tasks. I've now got a domain member with
> shares that presents the correct ownership. All looks good.
> I'm still slightly confused why I have two ranges within my member
> idmap config * : backend = tdb
> idmap config * : range = 3000-29999 ========> reserved for
> BUILTIN ??? (and '3000000' range on the DC?)
Yes & no ;-)
The '*' domain is for the BUILTIN users & groups and anything outside
the 'DOMAIN' domain, it has nothing to do with the DC ID's
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 30000-99999 ========> my uid/gid
> range for SAMDOM local domain accounts ???
Yes, where 'SAMDOM' is your AD domain.
> If I only require the domain user/admin accounts, I don't understand
> the need for the first (BUILTIN?) range.
You might think you only need the 'SAMDOM' domain, but AD also needs
the '*' domain.
I do hope you are not thinking of using GPO's, you have just stopped
Domain Admins from owning things in Sysvol.
More information about the samba