[Samba] idmap problems

Rowland Penny rpenny at samba.org
Thu Jan 3 14:02:17 UTC 2019


On Thu, 3 Jan 2019 13:16:30 +0000
Rob Mason <rob at acasta.co.uk> wrote:

> > On Wed, 2 Jan 2019 14:42:39 +0000
> 
> > Rob Mason <rob at acasta.co.uk<mailto:rob at acasta.co.uk>>> wrote:
> 
> >
> 
> >> Many thanks Rowland.  Yes, I don't understand idmaps, but I _think_
> 
> >> I'm getting it. I have added the gid of 60002 for Domain Admins and
> 
> >> undertaken some 'chgrp' tasks. I've now got a domain member with
> 
> >> shares that presents the correct ownership. All looks good.
> 
> >>
> 
> >>
> 
> >>
> 
> >> I'm still slightly confused why I have two ranges within my member
> 
> >> smb.conf:
> 
> >>
> 
> >>
> 
> >>
> 
> >> idmap config * : backend = tdb
> 
> >>
> 
> >> idmap config * : range = 3000-29999       ========>> reserved for
> 
> >> BUILTIN ??? (and '3000000' range on the DC?)
> 
> >
> 
> > Yes & no ;-)
> 
> >
> 
> > The '*' domain is for the BUILTIN users & groups and anything
> > outside
> 
> > the 'DOMAIN' domain, it has nothing to do with the DC ID's
> 
> >
> 
> >>
> 
> >>
> 
> >> idmap config SAMDOM:backend = ad
> 
> >>
> 
> >> idmap config SAMDOM:schema_mode = rfc2307
> 
> >>
> 
> >> idmap config SAMDOM:range = 30000-99999      ========>> my uid/gid
> 
> >> range for SAMDOM local domain accounts ???
> 
> >
> 
> > Yes, where 'SAMDOM' is your AD domain.
> 
> >
> 
> >>
> 
> >>
> 
> >>
> 
> >> If I only require the domain user/admin accounts, I don't
> >> understand
> 
> >> the need for the first (BUILTIN?) range.
> 
> >>
> 
> >
> 
> > You might think you only need the 'SAMDOM' domain, but AD also needs
> 
> > the '*' domain.
> 
> >
> 
> > I do hope you are not thinking of using GPO's, you have just stopped
> 
> > Domain Admins from owning things in Sysvol.
> 
> >
> 
> > Rowland
> 
> <facepalm/> Thanks Rowland - you must be getting pretty tired of my
> dumb questions...  

The only dumb question is the one you do not ask ;-)
If unsure, ask. It is easier to fix something before a mistake is made.

>The current GPO's are not critical (fortunately).
> Should I remove the Domain Admin gid and chgrp the ownership of the
> original directories back to 3000008 (original Domain Admin)?

Removing the gidNumber attribute should be enough, but as you say,
there is always chgrp.

> suspect the alternative is not a simple as chgrp'ing sysvol to the
> new Domain Admin gid? Or is the damage done....

samba-tool ntacl sysvolreset

> 
> Given the original age of this domain, and relatively small size, I
> am considering starting afresh. I was originally trying to avoid
> having to re-register the workstation community. This now feels like
> the better option.

Setting up a new AD domain is, in my opinion, a better idea, you can
start without the old ways of doing things e.g. not starting the ID's
from '500'.
 
> 
> As an aside, how do folks track domain uids/gids now that the new
> RSAT tools don't provide NIS??

Even though RSAT on Windows 10 no longer comes with the Unix
Attributes tab, all the required attributes are still available in
Samba AD, you just need to write scripts to use them.

Rowland





More information about the samba mailing list