[Samba] Need help with roaming profiles

Tue Jun 30 10:24:00 UTC 2020

On Tue, Jun 30, 2020 at 11:57 AM Rowland penny via samba
<samba at lists.samba.org> wrote:
>
> On 30/06/2020 10:34, Anders Östling wrote:
> > On Tue, Jun 30, 2020 at 11:24 AM Rowland penny via samba
> > <samba at lists.samba.org> wrote:
> >> On 30/06/2020 09:50, Anders Östling wrote:
> >>
> >>>> You have 'workgroup = HPLTS' and 'idmap config dg11', again, they must match
> >>> As I wrote in the previous reply, that was a mistake from the initial
> >>> deployment. However, I have a copy of the VM and when I corrected DG11
> >>> to HLPTS and restarted the services, this happes:
> >>>
> >>> getent group "Oldgroup" returns a value in the 10000 range (as
> >>> specified in the idmap config * statement).
> >> If 'oldgroup' isn't in the the 'HLPTS' domain, this is to be expected.
> >>> I now created a new group in the domain, and expected to get a value
> >>> in the range 30000 (as specified in the idmap config HPTLS statement).
> >> You should.
> >>> Again, I probably don't understand the different backends (tdb vs rid)
> >>> functions enough.
> >> The default domain '*' uses tdb and is an allocating db, the 'rid'
> >> backend for your HPTLS domain uses the AD objects RID to calculate the
> >> Unix ID.
> >>>    The new group was given a id of 10032, so it seems
> >>> as if the * statement still is the used range. Is this expected
> >>> behaviour?
> >> No, it isn't, if the group exists in AD and the AD domain name is
> >> 'HPTLS' , from what you have posted, I would expect the Unix ID to start
> >> with a '3'. Have you run 'net cache flush' ?
> > I did this on the test system but cant see any difference. Both the
> > old and newly created groups have id's in the 10000 range.
> >
> > WHAT IF:
> > I remove the server from the domain
> > Delete the tlb and ldb databases
> > Correct the idmap statements as recommended
> > Rejoin the domain
>
> You could try that, but you shouldn't have to ;-)
>

Let's play :)

> If a user exists in AD and has the RID '1107' and you have this in smb.conf:
>
>          idmap config * : backend = tdb
>          idmap config * : range = 10000-20000
>          idmap config HPLTS : backend = rid
>          idmap config HPLTS : range = 30000-40000
>
> Then on a domain joined Unix machine, I would expect the users Unix ID
> to be '31107', this would also depend on the user not being in /etc/passwd
>
> > I assume that all accounts and groups will get new id's in the
> > 30000-range.
> Yes, except for just one possible gotcha, if a user has the rid 11107,
> then the Unix ID would be 30000 + 11107 = 41107. This is larger than
> 40000, so it would be ignored, but you would have to have a very large
> domain for this to happen, it is also easy to fix, just replace 40000
> with a larger number.

It's a quite small domain so that should not be an issue within the
next 100 years.

> >   Do I need to re-apply all folder and file permissions
> > from the Windows server to get them correctly mapped?
>
> If you have file etc belonging to different ID's then yes.
>

I did try this, and the old id's in the 10000-range is still there on
the folders. All users and groups are now in the 30000-range, as
expected.

The *share* permissions seems to be correct, but not folders and
files. It will be a major PITA to correct them afterwards manually, so
I will see if I can find a PS-script that collects the ACL's before
the change and then re-applies them afterwards. I will continue to
scan the net for this. I really want the installation to be as
"correct" as possible.

Anders

> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
-----------------------------------------------------------------------------------------------------------------------
This signature contains 100% recyclable electrons as prescribed by Mother Nature

Anders Östling
+46 768 716 165 (Mobil)
+46 431 45 56 01  (Hem)