[Samba] Need help with roaming profiles

Rowland penny rpenny at samba.org
Tue Jun 30 09:57:18 UTC 2020 

On 30/06/2020 10:34, Anders Östling wrote:
> On Tue, Jun 30, 2020 at 11:24 AM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> On 30/06/2020 09:50, Anders Östling wrote:
>>
>>>> You have 'workgroup = HPLTS' and 'idmap config dg11', again, they must match
>>> As I wrote in the previous reply, that was a mistake from the initial
>>> deployment. However, I have a copy of the VM and when I corrected DG11
>>> to HLPTS and restarted the services, this happes:
>>>
>>> getent group "Oldgroup" returns a value in the 10000 range (as
>>> specified in the idmap config * statement).
>> If 'oldgroup' isn't in the the 'HLPTS' domain, this is to be expected.
>>> I now created a new group in the domain, and expected to get a value
>>> in the range 30000 (as specified in the idmap config HPTLS statement).
>> You should.
>>> Again, I probably don't understand the different backends (tdb vs rid)
>>> functions enough.
>> The default domain '*' uses tdb and is an allocating db, the 'rid'
>> backend for your HPTLS domain uses the AD objects RID to calculate the
>> Unix ID.
>>>    The new group was given a id of 10032, so it seems
>>> as if the * statement still is the used range. Is this expected
>>> behaviour?
>> No, it isn't, if the group exists in AD and the AD domain name is
>> 'HPTLS' , from what you have posted, I would expect the Unix ID to start
>> with a '3'. Have you run 'net cache flush' ?
> I did this on the test system but cant see any difference. Both the
> old and newly created groups have id's in the 10000 range.
>
> WHAT IF:
> I remove the server from the domain
> Delete the tlb and ldb databases
> Correct the idmap statements as recommended
> Rejoin the domain

You could try that, but you shouldn't have to ;-)

If a user exists in AD and has the RID '1107' and you have this in smb.conf:

         idmap config * : backend = tdb
         idmap config * : range = 10000-20000
         idmap config HPLTS : backend = rid
         idmap config HPLTS : range = 30000-40000

Then on a domain joined Unix machine, I would expect the users Unix ID 
to be '31107', this would also depend on the user not being in /etc/passwd

> I assume that all accounts and groups will get new id's in the
> 30000-range.
Yes, except for just one possible gotcha, if a user has the rid 11107, 
then the Unix ID would be 30000 + 11107 = 41107. This is larger than 
40000, so it would be ignored, but you would have to have a very large 
domain for this to happen, it is also easy to fix, just replace 40000 
with a larger number.
>   Do I need to re-apply all folder and file permissions
> from the Windows server to get them correctly mapped?

If you have file etc belonging to different ID's then yes.

Rowland

More information about the samba mailing list