[Samba] idmap problems
Rob Mason
rob at acasta.co.uk
Thu Jan 3 13:16:30 UTC 2019
> On Wed, 2 Jan 2019 14:42:39 +0000
> Rob Mason <rob at acasta.co.uk<mailto:rob at acasta.co.uk>>> wrote:
>
>> Many thanks Rowland. Yes, I don't understand idmaps, but I _think_
>> I'm getting it. I have added the gid of 60002 for Domain Admins and
>> undertaken some 'chgrp' tasks. I've now got a domain member with
>> shares that presents the correct ownership. All looks good.
>>
>>
>>
>> I'm still slightly confused why I have two ranges within my member
>> smb.conf:
>>
>>
>>
>> idmap config * : backend = tdb
>>
>> idmap config * : range = 3000-29999 ========>> reserved for
>> BUILTIN ??? (and '3000000' range on the DC?)
>
> Yes & no ;-)
>
> The '*' domain is for the BUILTIN users & groups and anything outside
> the 'DOMAIN' domain, it has nothing to do with the DC ID's
>
>>
>>
>> idmap config SAMDOM:backend = ad
>>
>> idmap config SAMDOM:schema_mode = rfc2307
>>
>> idmap config SAMDOM:range = 30000-99999 ========>> my uid/gid
>> range for SAMDOM local domain accounts ???
>
> Yes, where 'SAMDOM' is your AD domain.
>
>>
>>
>>
>> If I only require the domain user/admin accounts, I don't understand
>> the need for the first (BUILTIN?) range.
>>
>
> You might think you only need the 'SAMDOM' domain, but AD also needs
> the '*' domain.
>
> I do hope you are not thinking of using GPO's, you have just stopped
> Domain Admins from owning things in Sysvol.
>
> Rowland
<facepalm/> Thanks Rowland - you must be getting pretty tired of my dumb questions... The current GPO's are not critical (fortunately). Should I remove the Domain Admin gid and chgrp the ownership of the original directories back to 3000008 (original Domain Admin)? I suspect the alternative is not a simple as chgrp'ing sysvol to the new Domain Admin gid? Or is the damage done....
Given the original age of this domain, and relatively small size, I am considering starting afresh. I was originally trying to avoid having to re-register the workstation community. This now feels like the better option.
As an aside, how do folks track domain uids/gids now that the new RSAT tools don't provide NIS??
More information about the samba
mailing list