[Samba] idmap range and xidNumber

Rowland penny rpenny at samba.org
Sat Feb 29 18:54:48 UTC 2020 

On 29/02/2020 18:15, Alexander Kushnirenko wrote:
>
> OK, thanks! Does any of them need to be reflected in unix world?
Mostly just Domain Users
>
> ------------- DC --------------------
> [global]
> kerberos method = system keytab
Please don't set the above on a DC
> client ldap sasl wrapping = sign
That is the default, so doesn't need to be there
> # name resoultion support
> local master = yes
> os level = 255
> preferred master = yes
This is an AD DC, so you shouldn't have the three lines above.
> username map = /etc/samba/username.map
No, not on a Samba AD DC, idmap.ldb does this on a DC.
> # winbind enum are needed for getent passwd/group to work
No they aren't, all they do is make 'getent passwd' and 'getent group' 
display all users & groups. running 'getent passwd username' without the 
lines will display individual users, same goes for groups. They other 
thing they do, they slow things down.
>   winbind enum users = yes
>   winbind enum groups = yes
I would remove the two lines above.
>   winbind expand groups = 1
You probably do not need the line above.
> winbind use default domain = Yes
That doesn't work on a DC
> ----------- UNIX DOMAIN MEMBER ----------
> [global]
>   client use spnego = yes
Default setting
>   os level = 2
That is old-school ;-)
>   idmap config BHLAB : backend = ad
>   idmap config BHLAB : schema_mode = rfc2307
>   idmap config BHLAB : range = 10000-19999
>   idmap config BHLAB : unix_nss_info = yes
I take it that you have added uidNumber & gidNumber attributes to AD and 
that they are inside the '10000-19999' range
>   idmap config BHLAB : unix_primary_group = no
That is the default
>
> # Use Winwows ACL - not there yet, we use POSIX ACL
Why not ?
> #  vfs objects = acl_xattr
> #  map acl inherit = yes
> #  store dos attributes = yes

I would still use them and read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

It works better :-)

>
> # winbind enum are needed for getent passwd/group to work
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind expand groups = 1
See the DC comments re the above
>
> #======================= Share Definitions =======================
> [Common]
>    browseable = yes
Default setting
>    directory mask = 0775
>    guest ok = no
Default settings
>
> [users]
>    browseable = yes
Default setting
>    path = /home/
Not going to work, you need '%U' on the end
>    read only = no
>    writable = yes
These are the same, you only need one
>    force directory mode = 0755
>    guest ok = no

Default settings

I hope the above helps, any more questions, feel free to ask ;-)

Rowland

More information about the samba mailing list