[Samba] use of ‘idmap_ldb:use rfc2307 = yes’ in DCs
Rowland Penny
rpenny at samba.org
Thu Jun 20 12:04:10 UTC 2024
On Thu, 20 Jun 2024 13:49:41 +0200
Olaf Frączyk via samba <samba at lists.samba.org> wrote:
>
> On 2024-06-20 13:13, Rowland Penny via samba wrote:
> > On Thu, 20 Jun 2024 12:59:58 +0200
> > Olaf Frączyk via samba <samba at lists.samba.org> wrote:
> >
> >> I use uids from this range for many, many years, since samba 3. :)
> > Which unfortunately was a bad idea, using Samba IDs that start at
> > '1000' means that you cannot have ANY local users. What happens if
> > you have AD problems and your users & groups cannot be resolved
> > from AD, how do you fix it ? Especially on distros like Ubuntu that
> > only use sudo ?
>
> The only local user I need for this setup is root. And I don't have
> problem to login as root - I use Almalinux there.
Yes, but a lot of people use distros without using 'root' directly,
these means they must use something like sudo, which means local users
in /etc/passwd
>
> And, if really needed, I can assign an uidNumber for local unix user
> in a way that doesn't overlap with the ones used by samba - eg 10000
> and above.
Not saying you cannot, but you will then have to manually assign the
Unix ID instead of allowing the OS to set it.
>
> This samba uidNumbers are from times, when local linux users started
> from 500 and I assumed that starting 1000 for samba will be enough,
> this was 20 years ago or more.
Yes, some distros did start IDs from 500, but that was later changed to
1000. Times change, but it looks like you haven't.
As I said, I can only make suggestions, which are based on current best
practice, whether you accept them is up to you, it is your network.
Rowland
More information about the samba
mailing list