[Samba] suddenly change: idmap uid + gid

Rowland penny rpenny at samba.org
Tue Nov 5 20:40:59 UTC 2019

On 05/11/2019 20:03, Alexey A Nikitin wrote:
> On Tuesday, 5 November 2019 01:37:15 PST Rowland penny via samba wrote:
>> On 04/11/2019 18:52, Alexey A Nikitin wrote:
>>> On Sunday, 3 November 2019 01:41:18 PST Rowland penny via samba wrote:
>>>> As I said, you cannot use 'winbind use default domain = yes' with
>>>> 'autorid', it makes all users and groups members of the same domain,
>>>> this is probably what has happened here.
>>>> Remove the line, this should stop it happening again
>>>> If you have only one domain, then you shouldn't be using autorid, you
>>>> should be using rid instead, unfortunately it is probably too late now.
>>> Is it OK to use autorid for * when you have rid configured for the domain of your primary user on a given machine? E.g., if there is a forest of, say, users.example.com, dom1.example.com, dom2.example.com, and the primary user of the machine is in users.example.com, is it OK to have config like this:
>>>           idmap config * : backend = autorid
>>>           idmap config * : range = <range>
>>>           idmap config * : rangesize = <subrange>
>>>           idmap config USERS : backend = rid
>>>           idmap config USERS : range = <range>
>>> If yes, what about the same config for the case when USERS (users.example.com) is the only domain? My understanding is in a single domain situation this config shouldn't cause any issues with 'winbind use default domain = true', and in the multiple domains situation this would cause trouble authenticating users from domains other than USERS but should work OK for the primary domain, is that correct?
>> There is no point in using 'rid' with 'autorid', they both do the same
>> thing, they map users using the users SID.
>> If you have multiple domains, then the easiest way to set up smb.conf is
>> by using using 'autorid', elsewise you would have to set up multiple
>> 'idmap config' blocks for each domain.
>> If you only have one domain, then you could use the 'ad' or 'rid'
>> winbind backend. If you do not use the DC as a fileserver, then the
>> 'rid' backend is probably the one to use, this way you do not have to
>> add anything to AD.
>> If you want to have the same ID everywhere (you are using the DC as a
>> fileserver) then you will have to use the winbind 'ad' backend and add
>> RFC2307 attributes to AD.
>> Rowland
> In my case I have no control over the domain, and I have neither control nor knowledge ahead of time whether there is one domain or whole forest of domains or even cross-forest trust relationships, all I know is the name of the domain where the primary user of a given machine resides. Because I have no control over the domain I cannot make use of RFC2307 attributes and 'ad' backend, because I don't know the number of the domains I have to use 'autorid' backend, or so I understand so far. You're saying that if there is only one domain then 'autorid' should not be used.
No, that is not what I said, I said that there is no point in using 
'rid' with 'autorid' and if you have only one domain, you can you use 
the 'rid' or 'ad' winbind backends, but there is nothing stopping you 
using 'autorid' instead.
>   Is it because of technical reasons, or simply because it is an overkill for single domain use case? IIRC earlier you (or someone else) said that there is a way to allocate subrange for a given domain with autorid before anyone from that domain authenticates on the machine (I have the notes, I'm just to lazy to pull them up right now), my understanding is that with that approach I can use 'autorid' backend regardless of the number of the domains in a forest.

You can use 'autorid' with one or more domains, it is just that 
'autorid' was written to ease the setup of smb.conf with multiple domains.

I would suggest that if you have (or think you might have) more than one 
domain, then use 'autorid'. If you only have one domain and will never 
have more than one and do not need RFC2307 attributes, then use 'rid', 
If you need the RFC2307 attributes, then use 'ad'

Just use the backend that fits your requirements, but set it up 
correctly, for more info, read the relevant manpage:

'ad' : man idmap_ad

'rid' : man idmap_rid

'autorid' : man idmap_autorid


More information about the samba mailing list