[Samba] idmap problems

Rob Mason rob at acasta.co.uk
Thu Jan 3 13:16:30 UTC 2019 

> On Wed, 2 Jan 2019 14:42:39 +0000

> Rob Mason <rob at acasta.co.uk<mailto:rob at acasta.co.uk>>> wrote:

>

>> Many thanks Rowland.  Yes, I don't understand idmaps, but I _think_

>> I'm getting it. I have added the gid of 60002 for Domain Admins and

>> undertaken some 'chgrp' tasks. I've now got a domain member with

>> shares that presents the correct ownership. All looks good.

>>

>>

>>

>> I'm still slightly confused why I have two ranges within my member

>> smb.conf:

>>

>>

>>

>> idmap config * : backend = tdb

>>

>> idmap config * : range = 3000-29999       ========>> reserved for

>> BUILTIN ??? (and '3000000' range on the DC?)

>

> Yes & no ;-)

>

> The '*' domain is for the BUILTIN users & groups and anything outside

> the 'DOMAIN' domain, it has nothing to do with the DC ID's

>

>>

>>

>> idmap config SAMDOM:backend = ad

>>

>> idmap config SAMDOM:schema_mode = rfc2307

>>

>> idmap config SAMDOM:range = 30000-99999      ========>> my uid/gid

>> range for SAMDOM local domain accounts ???

>

> Yes, where 'SAMDOM' is your AD domain.

>

>>

>>

>>

>> If I only require the domain user/admin accounts, I don't understand

>> the need for the first (BUILTIN?) range.

>>

>

> You might think you only need the 'SAMDOM' domain, but AD also needs

> the '*' domain.

>

> I do hope you are not thinking of using GPO's, you have just stopped

> Domain Admins from owning things in Sysvol.

>

> Rowland

<facepalm/> Thanks Rowland - you must be getting pretty tired of my dumb questions...  The current GPO's are not critical (fortunately). Should I remove the Domain Admin gid and chgrp the ownership of the original directories back to 3000008 (original Domain Admin)?  I suspect the alternative is not a simple as chgrp'ing sysvol to the new Domain Admin gid? Or is the damage done....

Given the original age of this domain, and relatively small size, I am considering starting afresh. I was originally trying to avoid having to re-register the workstation community. This now feels like the better option.

As an aside, how do folks track domain uids/gids now that the new RSAT tools don't provide NIS??

More information about the samba mailing list