[Samba] [EXTERNAL] Re: Server Mandatory SMB Signing Not Working

Rowland Penny rpenny at samba.org
Sun Nov 14 19:32:41 UTC 2021


On Sun, 2021-11-14 at 14:14 -0500, Philip Cunio wrote:
> Yes, working on those. We need local accounts created as we have
> issues using uid ranges out of AD. Does the idmap replace the add
> user script functionality? That's why the add user script is useful
> for us - when it works.  Does the idmap replace the add user script
> functionality? Also, does having winbindd running override the add
> user script?

This is what you need the 'idmap config' lines for.
Each object in AD (users, groups, computers etc) have a unique SID.
This SID is made up from the Domain SID with a RID on the end. If you
use the winbind 'rid' backend, the RID is used to calculate a Unix ID,
using the domain low range you set in smb.conf. So if the low range is
10000 and the RID is 1107, it is used with this calculation:

ID = RID - BASE_RID + LOW_RANGE_ID

The BASE_RID is normally '0' unless you change it (not advised), so the
calculation becomes:

ID = 1107 - 0 + 10000

ID = 11107

If the users name is fred, then fred's Unix ID would be 11107 and there
would be no need for a user 'fred' in /etc/passwd (or whatever AIX
uses), so you would not need to create users locally (which is the
whole reason behind AD, you only create users, groups etc in one place)

Rowland





More information about the samba mailing list