[Samba] Corrupted idmap...
Rowland Penny
rpenny at samba.org
Sat Jan 21 18:40:22 UTC 2017
On Sat, 21 Jan 2017 18:05:52 +0000
Alex Crow via samba <samba at lists.samba.org> wrote:
> Yes, this does not make sense.
>
> If I have member file servers, and I want to be in control of which
> groups can access what, surely winbind needs to be able to get a GID
> from AD?
>
> It may be different in our case as we migrated from classic Samba, but
> every non-builtin group we have has a GID assigned and it works
> perfectly. Indeed, if I create a new group without assigning a Unix
> GID, it is not even visible on the member file servers, so IMHO the
> advice you've been given is not correct. Your non-builtin groups that
> you use for file access controls must have a GID number if you're
> using rfc idmap.
>
> I understand that idmap configuration is not usable on a DC.
>
> Cheers
>
> Alex
>
>
OK, lets have a look at the 'idmap config' lines on a Unix domain
member:
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999
Now if a user has a uidNumber inside '10000-999999', or a group has a
gidNumber inside the same range AND Domain Users has a gidNumber, then
they will be shown as members of the 'SAMDOM' domain. Anything else and
this includes the Well Known SIDs shown here:
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
will be mapped to the '*' domain using the '2000-9999' range.
Just because 'getent' doesn't show the user or group, doesn't mean
winbind isn't aware who they are.
What you have to ask your self is 'does Unix have to know who this
windows user or group is ?'
Rowland
More information about the samba
mailing list