Web lists-archives.com

Re: [Samba] two domain members, different groupIDs




On Thu, 22 Jun 2017 10:12:41 +0200
"Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> 1)
> 
> 	idmap config mydomain:schema_mode = rfc2307
> 	idmap config mydomain:range = 10000-99999
> 	idmap config mydomain:backend = rid
> 	idmap config *:range = 2000-9999
> 	idmap config * : backend = tdb
> 
> # wbinfo --group-info=domänen-benutzer
> domänen-benutzer:x:10513:
> 
> 2)
> 
> 	idmap config * : range = 10001-20000
> 	idmap config domain : backend = rid
> 	idmap config domain : range = 10000-20000
> 	idmap config domain : base_rid = 0
> 	idmap config * : backend = tdb
> 
> # wbinfo --group-info=domänen-benutzer
> domänen-benutzer:x:10008:
> 
> 
> I understand/assume that the different idmap configs might cause the
> mismatch in the mapped(?) groupids.

Oh definitely

> 
> Can I fix that without breaking things?

If your users have files stored on the domain members, probably not.

> 
> On which server?
> 

Both !

Your 'idmap config' block on ALL Unix domain members needs to be
something like this:

	idmap config * : backend = tdb
	idmap config *:range = 2000-9999
	idmap config domain : backend = rid
	idmap config domain : range = 10000-99999

Your samba versions are not new enough to use 'idmap config
mydomain:schema_mode = rfc2307' and you wouldn't use it with the 'rid'
backend.

This is deprecated: 'idmap config domain : base_rid = 0' because '0' is
the default.

If you use something like the above on all Unix domain members, you
will always get the same IDs because the 'rid' backend calculates the
ID from the RID.

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba