Re: [Samba] Samba 4.6.5-Debian, authentication on a mix workgroup+domain
- Date: Mon, 31 Jul 2017 12:11:40 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba 4.6.5-Debian, authentication on a mix workgroup+domain
You may write anything you want, but.
I would suggest the following, base on :
Your "MYDOMAIN" range is in a danger zone, and the * range is in a reserved range.
In my opinion, its better fix this now the best you can, which means re-apply the user/group rights.
This is why i use these layout on all my servers.
Idmap config *: backend = tdb
Idmap config *: range = 1999-9999
Idmap config MYDOMAIN: backend = ad
Idmap config MYDOMAIN: range = 10000-99999
All ranges are in a safe range. ( depending on the size of AD / number of users/groups )
By default samba AD starts at 10000, so i matched that also.
I know this is a pain in the .... But (lol, still funny).. ;-)
The longer you wait, the more problems you wil hit in the future.
And.. What Rowland did say.. ;-)
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> Rowland Penny via samba
> Verzonden: maandag 31 juli 2017 12:04
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Samba 4.6.5-Debian, authentication on
> a mix workgroup+domain
> On Mon, 31 Jul 2017 11:38:23 +0200
> Marc-Henri Pamiseux via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > Hi Louis,
> > Do the default idmap values must precede the idmap values of the
> > MYDOMAIN domain? May I write something like:
> > Idmap config *: backend = tdb
> > Idmap config *: range = 65000-65535
> > Idmap config MYDOMAIN: backend = ad
> > Idmap config MYDOMAIN: range = 500-3999
> You can do it like that, in fact quite a lot of people do,
> but what happens when you have got to user ID 64999 and you
> want to add another user. It is easy to raise the last number
> in the 'MYDOMAIN' range, but the ranges must not overlap.
> > I think there is a problem in using nobody for the guest account
> > directive while its user ID is 65534.
> Well spotted, somebody, somewhere made a bad decision when
> they gave that ID to 'nobody'. You will just have to work around it.
> > As Rowland mention in 2017-07-25 :
> > "You now need to give your users a gidNumber containing the Unix ID
> > number of a group and the group would have to have a gidNumber
> > attribute containing the same number."
> > So, does it mean that user nobody who's gidNumber is
> > "nogroup:x:65534:" need to be included in this mapping ?
> Should it be
> > as default mapping or as domain mapping ?
> No, 'nobody' is a Unix user and Samba maps the Windows user
> 'Guest' to 'nobody'
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the