[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

Olaf Frączyk olaf at navi.pl
Thu Jun 20 11:49:41 UTC 2024 

On 2024-06-20 13:13, Rowland Penny via samba wrote:
> On Thu, 20 Jun 2024 12:59:58 +0200
> Olaf Frączyk via samba <samba at lists.samba.org> wrote:
>
>> I use uids from this range for many, many years, since samba 3. :)
> Which unfortunately was a bad idea, using Samba IDs that start at
> '1000' means that you cannot have ANY local users. What happens if you
> have AD problems and your users & groups cannot be resolved from AD,
> how do you fix it ? Especially on distros like Ubuntu that only use
> sudo ?

The only local user I need for this setup is root. And I don't have 
problem to login as root - I use Almalinux there.

And, if really needed, I can assign an uidNumber for local unix user in 
a way that doesn't overlap with the ones used by samba - eg 10000 and above.

This samba uidNumbers are from times, when local linux users started 
from 500 and I assumed that starting 1000 for samba will be enough, this 
was 20 years ago or more.

>
>> And I want/need to use this range - to change it now would be a mess.
>> And I need to be able to set them manually, not in an automatic way.
> It is totally your decision what range to use and yes, it wouldn't be
> easy to change individual Unix domain members.
> There is no way to set uidNumber & gidNumber attributes automatically,
> you must supply them manually.
>
>> By server I mean a domain member server.
>>
>> So on samba DC I have: "idmap_ldb:use rfc2307 = yes"
>>
>> And on a samba domain member server (that serves files to clients) I
>> have
>>
>> idmap config * : backend = tdb
>>        idmap config * : range = 20000-20999
>>        idmap config NAVIDOM:backend = ad
>>        idmap config NAVIDOM:schema_mode = rfc2307
>>        idmap config NAVIDOM:range = 1000-9999
>>        idmap config NAVIDOM:unix_nss_info = yes
>>        idmap config NAVIDOM:unix_primary_group = yes
>>        winbind use default domain = yes
>>        winbind nss info = rfc2307
>>
>> So to summarize:
>>
>> In order to use it this way - do I need the "idmap_ldb:use rfc2307 =
>> yes" on DC or not?
>>
> In one word, NO.

OK. Thank you.

Olaf

>
> Rowland
>
>

More information about the samba mailing list