[Samba] Problem with AD & idmap
Adam Thorn
alt36 at cam.ac.uk
Thu Mar 3 14:02:48 UTC 2022
On 03/03/2022 13:22, L. van Belle via samba wrote:
> And.. Small side note, this is different per distro.
>
> cat /etc/adduser.conf |grep UID
>
> # FIRST_SYSTEM_[GU]ID to LAST_SYSTEM_[GU]ID inclusive is the range for UIDs
> # package, may assume that UIDs less than 100 are unallocated.
> FIRST_SYSTEM_UID=100
> LAST_SYSTEM_UID=999
>
> # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically
> FIRST_UID=1000
> LAST_UID=29999
>
> So, based on that, (*a Debian Buster server)..
>
> Try to avoid these system ranges or at least think about these..
One might also have systemd services that make use of "Dynamic Users":
https://0pointer.net/blog/dynamic-users-with-systemd.html
systemd expects to be able to use UIDs in the range 61184–65519 and I
don't believe that's configurable. Whilst it's OK to use some UIDs in
that range because (quoting from the above link)...
"You might wonder what happens if you already used UIDs from the
61184–65519 range on your system for other purposes. systemd should
handle that mostly fine, as long as that usage is properly registered in
the user database: when allocating a dynamic user we pick a UID, see if
it is currently used somehow, and if yes pick a different one, until we
find a free one. Whether a UID is used right now or not is checked
through NSS calls"
...if you were to assign most of that UID range to users which NSS will
say are in use, it might cause problems for your systemd services.
Adam
More information about the samba
mailing list