Re: [Samba] [samba] idmap question
- Date: Thu, 10 Aug 2017 15:13:39 +0200
- From: mathias dufresne via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] [samba] idmap question
Thank you both for these replies.
Here, at work, "wbinfo --all-domains" gave 5 lines. Let's call MAINDOM the
domain my Samba member is joined to and TRUSTED1 and TRUSTED2 the two
others domains relied by trust relationship, the result is:
# wbinfo --all-domains
HOSTNAME -> /etc/passwd & /etc/group (I think, words below about this)
For me HOSTNAME is for users from /etc/passwd added with "smbpasswd -a". I
think that (and can't test yet until I'm back home but I won't have time to
verify that @home for next days) because as far as I remember, when using
"smbpasswd -a someLocalUser" there is no id mapping, the UID used is the
real one of this someLocalUser. I think that's why both range declared with
idmap directives must not overlap UID/GID from /etc/passwd and /etc/group.
2017-08-10 12:51 GMT+02:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:
> On Thu, 10 Aug 2017 12:19:36 +0200
> "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> > Hai Mathias,
> > Type: wbinfo --all-domains
> > You should see 3 domainnames.
> > BUILTIN => idmap config *
> > HOSTNAME => ? Dont know where this one maps to.
> > NTDOM => idmap config NTDOM
> On a Unix domain member, I get 4
> I have no idea where 'EXAMPLE' comes from, I have never set up any
> smb.conf that contains 'workgroup = EXAMPLE' on the Unix domain member.
Perhaps as here where there is trust relatinoship your EXAMPLE comes from
an old trust test you made?
> > I use for example ( for debian ) the following.
> > I use this as followed.
> > ## map id's outside to NT domain to tdb files.
> > idmap config *: backend = tdb
> > idmap config *: range = 2000-2999
> > ## map ids from the domain and (*) the range may not overlap !
> > idmap config NTDOM : backend = ad
> > idmap config NTDOM : schema_mode = rfc2307
> > idmap config NTDOM : range = 10000-3999999
> > And i think, but i never use that you can match the hostname also.
> > Like,
> > idmap config HOSTNAME : backend = tdb
> > idmap config HOSTNAME : range = 3000-9999
> > ! But I cant confirm about the "HOSTNAME" part if thats 100% correct.
> It probably would work, but I have never tried it.
As I said above, I think the "HOSTNAME" domain from wbinfo --all-domains is
for users and groups from local files (/etc/passwd and /etc/group). As
already said, I could be wrong.
> > Id 0-1999 (local linux users) 0-999 for system users (*this can
> > differ on an other os. ) 2000-2999 BUILDIN\...... ( example
> > is BUILDIN\administrators) 3000-9999 HOSTNAME\ ?
> > 10000-99999 NTDOM\users i start here at 10.000 because samba
> > backend AD starts also at 10.000.
> > Now "NTDOM\Domain Admins" is member of : BUILDIN\administrators
> > And "NTDOM\Domain users" is member of : BUILDIN\users
> > SePrivileges should be set on : BUILDIN\administrators, and not as
> > most examples show "domain admins" And because of this you should
> > always set : winbind expand groups = 2 But I preffer winbind expand
> > groups = 4 Backtrace for example very thing backup related and see
> > which groups are used and with SePrivileges you should set.
> Never tried this, but you are quite correct, you should NEVER give
> 'Domain Admins' a gidNumber. I do it another way, I create a group
> 'Unix Admins', give this group a gidNumber and add this to 'Domain
I don't follow you both on that. I mean I don't understand what could be
And using idmap-rid it is just impossible (according to my little knowledge
of Samba) to avoid giving UID or GID: if a user or group exists, it will
have a UID or GID using object's RID + low number of domain range from
"idmap config" config line.
So if there is some issue about giving "domain admins" a GID, I'd be glad
to understand it ;)
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the