[Samba] Need help with roaming profiles
anders.ostling at gmail.com
Tue Jun 30 10:24:00 UTC 2020
On Tue, Jun 30, 2020 at 11:57 AM Rowland penny via samba
<samba at lists.samba.org> wrote:
> On 30/06/2020 10:34, Anders Östling wrote:
> > On Tue, Jun 30, 2020 at 11:24 AM Rowland penny via samba
> > <samba at lists.samba.org> wrote:
> >> On 30/06/2020 09:50, Anders Östling wrote:
> >>>> You have 'workgroup = HPLTS' and 'idmap config dg11', again, they must match
> >>> As I wrote in the previous reply, that was a mistake from the initial
> >>> deployment. However, I have a copy of the VM and when I corrected DG11
> >>> to HLPTS and restarted the services, this happes:
> >>> getent group "Oldgroup" returns a value in the 10000 range (as
> >>> specified in the idmap config * statement).
> >> If 'oldgroup' isn't in the the 'HLPTS' domain, this is to be expected.
> >>> I now created a new group in the domain, and expected to get a value
> >>> in the range 30000 (as specified in the idmap config HPTLS statement).
> >> You should.
> >>> Again, I probably don't understand the different backends (tdb vs rid)
> >>> functions enough.
> >> The default domain '*' uses tdb and is an allocating db, the 'rid'
> >> backend for your HPTLS domain uses the AD objects RID to calculate the
> >> Unix ID.
> >>> The new group was given a id of 10032, so it seems
> >>> as if the * statement still is the used range. Is this expected
> >>> behaviour?
> >> No, it isn't, if the group exists in AD and the AD domain name is
> >> 'HPTLS' , from what you have posted, I would expect the Unix ID to start
> >> with a '3'. Have you run 'net cache flush' ?
> > I did this on the test system but cant see any difference. Both the
> > old and newly created groups have id's in the 10000 range.
> > WHAT IF:
> > I remove the server from the domain
> > Delete the tlb and ldb databases
> > Correct the idmap statements as recommended
> > Rejoin the domain
> You could try that, but you shouldn't have to ;-)
Let's play :)
> If a user exists in AD and has the RID '1107' and you have this in smb.conf:
> idmap config * : backend = tdb
> idmap config * : range = 10000-20000
> idmap config HPLTS : backend = rid
> idmap config HPLTS : range = 30000-40000
> Then on a domain joined Unix machine, I would expect the users Unix ID
> to be '31107', this would also depend on the user not being in /etc/passwd
> > I assume that all accounts and groups will get new id's in the
> > 30000-range.
> Yes, except for just one possible gotcha, if a user has the rid 11107,
> then the Unix ID would be 30000 + 11107 = 41107. This is larger than
> 40000, so it would be ignored, but you would have to have a very large
> domain for this to happen, it is also easy to fix, just replace 40000
> with a larger number.
It's a quite small domain so that should not be an issue within the
next 100 years.
> > Do I need to re-apply all folder and file permissions
> > from the Windows server to get them correctly mapped?
> If you have file etc belonging to different ID's then yes.
I did try this, and the old id's in the 10000-range is still there on
the folders. All users and groups are now in the 30000-range, as
The *share* permissions seems to be correct, but not folders and
files. It will be a major PITA to correct them afterwards manually, so
I will see if I can find a PS-script that collects the ACL's before
the change and then re-applies them afterwards. I will continue to
scan the net for this. I really want the installation to be as
"correct" as possible.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
This signature contains 100% recyclable electrons as prescribed by Mother Nature
+46 768 716 165 (Mobil)
+46 431 45 56 01 (Hem)
More information about the samba