[Samba] suddenly change: idmap uid + gid

[Rowland penny]

On 03/11/2019 15:06, Liste via samba wrote:
> Am 03.11.2019 um 09:42 schrieb Rowland penny via samba <samba at lists.samba.org>:
>> On 02/11/2019 23:18, Hilberg via samba wrote:
>>> Hi
>>>
>>> The server suddenly changed the uid + gid. this happened to times, yesterday and the week after. The default group at example
>>> The samba is a AD member where we have many users (>20 000) and we use autorid in that way
>>> [global]
>>>    security = ads
>>>    workgroup = CUSTOMER
>>>    realm = CUSTOMER.COM
>>>    winbind use default domain = yes
>>>    winbind enum users = yes
>>>    winbind enum group = yes
>>>    idmap config * : backend = autorid
>>>    idmap config * : range = 1000000-8999999999
>>>
>>> OS debian 10
>>> DC Microsoft
>>>
>>> At the moment I have two questions:
>>> Why this happened and is there a way to stop the disaster?
>>> Is there a quick way to repair the disaster? I infects the profile directory used with acl.
>>>
>>> thank you
>>>
>> Please do not post things like this to the samba-technical list.
>>
>> As I said, you cannot use 'winbind use default domain = yes' with 'autorid', it makes all users and groups members of the same domain, this is probably what has happened here.
>>
>> Remove the line, this should stop it happening again
>>
>> If you have only one domain, then you shouldn't be using autorid, you should be using rid instead, unfortunately it is probably too late now.
> I have 4 trusted domains
> Builtin
> Hostname of Samba Servern
> Costumer
> costumerxy
>
> Custumer is the only primary

You can forget the first two, but because you have two domains (Costumer 
& costumerxy), YOU CANNOT USE 'winbind use default domain = yes' with 
autorid.

If you have a user COSTUMER\fred and a user COSTUMERXY\fred, whilst they 
are different users, they will both get mapped to CUSTOMER\fred and as 
the ID is calculated from the user SID, the ID may change.

Rowland