[Samba] wbinfo manipulating idmap

Shannon Price pricesw at auburn.edu
Tue Sep 20 13:34:17 UTC 2022 

Crazy question, but the wbinfo option "set-uid-mapping" and "set-gid-mapping" options looks appealing to set the UIDs to the values I want, but I have the error wbcSetUidMapping: WBC_ERR_NOT_IMPLEMENTED.

Using idmap rid

Are there tools for manipulating the mappings? (rfc2307 is not an option currently for manipulating them on the Windows DCs).

--
Shannon Price


-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Monday, September 19, 2022 2:44 PM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] [EXT] Re: Samba 4 without winbind



On 19/09/2022 20:22, Shannon Price wrote:
> 
> I think the "ad" backend would work for me if I had access to the domain controllers, which I do not. This makes the path out of our antiquated setup much more complicated. It turns out that campus is using an AD-bridge product from BeyondTrust for the last 10 years.

Then you need to talk to the Windows admins about adding the rfc2307 attributes to your AD users and groups, they are all standard in the AD schema, you do not need to extend the schema. Can they not delegate permission to allow you to do this to your users and groups or move your users & groups to an OU you can control ?

> 
> The groups are in AD.  I can query my group membership with wbinfo --user-groups="DOMAIN\\username".  None of the groups are above 999999.  Some are over 930000, however which with the calculation below, puts some over 999999.

If the upper range is too low, then just add another '9' to it and restart the Samba daemons.

   I had the idmap ranges lower but the "idmap config *:range" said it was too full when it was set to 3000-7999.

The default (*) range is meant for the Well Known Sids (which there are less than 200) and anything outside the 'DOMAIN' domain, so I think it might be trying to pull in the entire forest.

   Leaving out the "*" idmap also generated a complaint, since your rid example included it, I left it in.

You really need it, see above.

> 
>          winbind enum users = yes
>          winbind enum groups = yes

Only use those for testing, they just slow things down and winbind will work without them.

>          winbind nested groups = yes

That is the default

>          winbind expand groups = 3

You shouldn't need that, but be aware that the higher the number, the slower things will be.

> 
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-60000
>          idmap config DOMAIN : backend = rid
>          idmap config DOMAIN : range = 70000-999999

If that is what works for you.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=05%7C01%7Cpricesw%40auburn.edu%7Cc6c8dbd0b5e44b3e246b08da9a7754de%7Cccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637992134566420405%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nwjgUEQH%2FVip3zVRsBt%2F9%2BhOZxajf4Tb4TrUnRnrZGg%3D&reserved=0

More information about the samba mailing list