[Samba] samba idmap mystery

d tbsky tbskyd at gmail.com
Wed Feb 22 09:31:10 UTC 2023

Rowland Penny via samba <samba at lists.samba.org>
> >      recently I need to create a guest share to host computer group
> > policy resource. I tried but failed and found that recent win10
> > enterprise/win11 deny guest share access by default. so I think maybe
> > I can loosen samba configuration.
> Why would you think that ?
> If you need guest access, then you need to turn it back on, on the
> Windows clients.

I don't want to fight with windows default if possible. and domain
computers are not really unknown guests,
I just didn't give them rfc2307 uid before. I want to make a read only
share for domain computers with minimal effort if possible.

> > my original idmap config at file server looks like:
> >
> > iidmap config *:backend = tdb
> > idmap config *:range = 1000000-1999999
> > idmap config SAMDOM:backend = ad
> > idmap config SAMDOM:schema_mode = rfc2307
> > idmap config SAMDOM:range = 1000-999999
> >
> > I comment out last line "idmap config SAMDOM:range = 1000-999999" and
> What was your reasoning for doing that ?
> What did you hope to achieve ?

I hope samba would use rfc2307 uid if the account has the setting,
otherwize use dynamic id.
so a normal user account would has rfc2307 uid, but a machine account
will use dynamic id.
It seems like just my dream.

> > restart samba. "getent passwd" return all the domain accounts with or
> > without rfc2307 settings.  "id machine$" also works and my computer
> > group policy can read the share resource correctly.
> Now if you did restart Samba, this should have cleared the winbind
> cache, unless, is nscd also running ? If it is, I suggest you remove it,
> you cannot have two caches.

no I don't have nscd installed or running.

> > so I revert my configuration and restart smbd/winbind. but "id xxxx"
> > or "getent passwd xxxx" is still "1000010". I try add "winbind cache
> > time=1","idmap cache time=1","idmap negative cache time=1", also I try
> > delete
> > "/var/lib/samba/winbindd_cache.tdb" and
> > "/var/lib/samba/winbindd_cache.tdb" and restart winbind/smbd but still
> > can not get rid of the dynamic user id "1000010".
> It looks more and more like nscd is running.

no I don't have nscd running. In fact these years when idmap was
missing or incorrect (getent passwd xxxx, id xxxx),
I have no way to make it appear/correct again unless a re-logon
windows machine accesses the file server.
The id mappings are always working for several years, so I almost
forgot the incorrect/missing situation.

> No, or no Unix domain member would work. What you are describing as
> 'dynamic id mapping' is the default domain '*' which uses the tdb idmap
> backend and this allocates Unix ID's for the BUILTIN domain and anything
> that isn't in the 'SAMDOM' domain, by removing the line, you put
> everything into the default domain.

I think that's the truth. I didn't realize the full detail of the
configuration. Now I understand.
Thanks a lot for the clarification.

> The only mysteries here are, why did you remove the line and is nscd
> running ?

because I was too lazy to add rfc2307 uid to machine accounts.
Now I will do it if there is no easy way.

More information about the samba mailing list