[Samba] User mapping?
rpenny at samba.org
Sat Aug 8 19:09:32 UTC 2020
On 08/08/2020 19:43, Simon Matthews wrote:
> On 8/8/20 12:21 AM, Rowland penny via samba wrote:
>> On 07/08/2020 22:44, Simon Matthews via samba wrote:
>>>>> This is where your problems start, you do not have enough lines, I
>>>>> would expect something like this:
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 100000-9999999
>>>>> idmap config BLUE : backend = rid
>>>>> idmap config BLUE : range = 500-99999
>>> No, I was wrong about this. The name mapping is correct but the numeric
>>> IDs are different, so I still have permission issues:
>>> # ls -al
>>> total 28
>>> drwxrwxrwx. 4 <user> blue 4096 Aug 7 14:40 .
>>> drwxr-xr-x. 12 <user> blue 4096 Aug 6 13:06 ..
>>> drwxr-xr-x. 2 <user> blue 4096 Aug 7 14:40 New folder
>>> "New folder" is an empty folder I created from the Windows machine
>>> setting the directory perms to 777. However, when we look at the actual
>>> # ls -aln
>>> total 28
>>> drwxrwxrwx. 4 2002 441 4096 Aug 7 14:40 .
>>> drwxr-xr-x. 12 2002 441 4096 Aug 6 13:06 ..
>>> drwxr-xr-x. 2 16777216 16777222 4096 Aug 7 14:40 New folder
>> Try running 'net cache flush'
>> Also, the numbers I supplied were examples, you may need to tweak
>> them. The 'rid' backend calculates the the Unix ID from the users RID
>> with this formula:
>> ID = RID + LOW_RANGE_ID
>> Which from the range I posted becomes:
>> ID = RID + 500
>> So, if a user has the RID 1000, they should have the ID '1500'
>> 1500 = 1000 + 500
>> The '*' range is for the Well Known Sids and anything outside the domain
>> These numbers will probably not match any users you have /etc/passwd
>> (mind you, you shouldn't have any users in /etc/passwd)
> I really appreciate the help.
> Running 'net cache flush' helped so that the Linux client actually saw
> "<user>" as a valid id.
> On the client I now see :
> # id <user>
> uid=1578(<user>) gid=1595(blue)
> Apart from <user> all of the groups are related to machine accounts.
> Can you confirm for me that the settings you suggested are for the Samba
> domain MEMBER and not on the server?
Yes, on the client, you shouldn't use the PDC as a fileserver.
> The id of 2002 was what I had put (but now removed) from /etc/passwd --
> it matched the network-wide id for that user. On the Linux machines, we
> have IDs that go up to 4000.
> I also configured id mapping in nfs and everything seems to work nicely
> to map this user to uid 1578 over NFS and locally. Incidentally, I only
> need this one user's ids to match.
> I still see 16777216 as the ID of files newly created by the the Windows
> client (after all the changes). I have the following in
> passwd: files sss winbind
> shadow: files sss winbind
> group: files sss winbind
yum remove sssd*
More information about the samba