[Samba] Change (fix) idmap config
Rowland Penny
rpenny at samba.org
Fri Oct 14 15:00:31 UTC 2022
On 14/10/2022 15:45, Lorenzo Milesi via samba wrote:
> Hi.
> We made a mistake in configuring two file servers, by putting the realm instead of the workgroup in idmap config (below). For this reason, now we get different ids when running `getent passwd` on the two servers...
> What's the best way to recover, considering we have users connecting via shares and ssh? Unjoin the server, adjust config, join again, chown?
>
> thanks
>
> workgroup = LIGHT
> realm = WDC.DOMAIN.IT
> security = ads
> idmap config * : range = 16777216-33554431
> winbind separator = +
> template homedir = /home/%U
> template shell = /bin/bash
> kerberos method = secrets only
> winbind use default domain = true
> winbind offline logon = false
> #--authconfig--end-line--
> idmap config *:backend = tdb
> idmap config *:range = 700001-800000
> idmap config WDC.DOMAIN.IT:backend = rid
> idmap config WDC.DOMAIN.IT:range = 10000-700000
>
I take it that all your users now have ID's in the 700001-800000 range.
You can just change the last two lines to use the NetBIOS domain name
(aka workgroup) and restart Samba, but this is going to change all your
user & group ID's on that Unix domain member.
I would also remove the first 'idmap config *' line, luckily it will
have been overridden by the second one.
Your other method will be to create a new Unix domain member with a
correct smb.conf and then get your users to copy the files etc across
via Samba.
If you are going to use authconfig on red-hat, I would suggest you run
it first (before starting Samba), then fix its many mistakes.
Rowland
More information about the samba
mailing list