[Samba] Domain member?
Rowland Penny
rpenny at samba.org
Wed Oct 27 15:37:33 UTC 2021
On Wed, 2021-10-27 at 10:19 -0500, Patrick Goetz via samba wrote:
> On 10/26/21 05:21, Rowland Penny via samba wrote:
> > You do not have any 'idmap config' lines (I think I mentioned this
> > already)
> > As a minimum I would expect something like this:
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 3000-9999
> > idmap config SAMBA : backend = rid
> > idmap config SAMBA : range = 10000-999999
> >
> > Rowland
> >
> >
> >
>
> I have a quick and ignorant RTFM question. I was under the
> impression
> that backend=rid meant that Samba would use the user's Active
> Directory RID as their UID (which feels comfortably deterministic),
It does, but not in the way you are thinking :-)
> but
> the fact that you're specifying an ID range indicates that this
> impression must be false, and that there's still an algorithmic
> mapping
> process?
Oh yes, if you use the winbind 'rid' backend (as in 'idmap config
DOMAIN : backend = rid'), then the user or group RID, with the low
range you set in smb.conf , is used to calculate the user or group ID.
If the RID is 1107 and the low range is 10000, the calculation would
be:
ID = 1107 - BASE_RID + 10000
The BASE_RID is 0 by default, so this becomes
ID = 1107 + 10000
Which is
ID = 11107
The autorid backend works in a similar way, it just uses a different
(and slight more complex) calculation.
You need to choose a winbind backend and use it in your Unix domain
members smb.conf . If you don't, getent will not show the users and
groups from AD.
All the winbind backends have a manpage, try reading 'man idmap_ad' ,
'man idmap_rid' and 'man idmap_autorid'
Rowland
More information about the samba
mailing list