[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs
Rowland Penny
rpenny at samba.org
Thu Jun 20 11:13:40 UTC 2024
On Thu, 20 Jun 2024 12:59:58 +0200
Olaf Frączyk via samba <samba at lists.samba.org> wrote:
> I use uids from this range for many, many years, since samba 3. :)
Which unfortunately was a bad idea, using Samba IDs that start at
'1000' means that you cannot have ANY local users. What happens if you
have AD problems and your users & groups cannot be resolved from AD,
how do you fix it ? Especially on distros like Ubuntu that only use
sudo ?
>
> And I want/need to use this range - to change it now would be a mess.
> And I need to be able to set them manually, not in an automatic way.
It is totally your decision what range to use and yes, it wouldn't be
easy to change individual Unix domain members.
There is no way to set uidNumber & gidNumber attributes automatically,
you must supply them manually.
>
> By server I mean a domain member server.
>
> So on samba DC I have: "idmap_ldb:use rfc2307 = yes"
>
> And on a samba domain member server (that serves files to clients) I
> have
>
> idmap config * : backend = tdb
> idmap config * : range = 20000-20999
> idmap config NAVIDOM:backend = ad
> idmap config NAVIDOM:schema_mode = rfc2307
> idmap config NAVIDOM:range = 1000-9999
> idmap config NAVIDOM:unix_nss_info = yes
> idmap config NAVIDOM:unix_primary_group = yes
> winbind use default domain = yes
> winbind nss info = rfc2307
>
> So to summarize:
>
> In order to use it this way - do I need the "idmap_ldb:use rfc2307 =
> yes" on DC or not?
>
In one word, NO.
Rowland
More information about the samba
mailing list