Web lists-archives.com

Re: [Samba] GID range full!!




On Mon, 4 Dec 2017 12:56:37 +0100
"Stefan G. Weichinger" <lists@xxxxxxxx> wrote:

> Am 2017-12-04 um 12:42 schrieb Rowland Penny:
> 
> > II take it that 'arbeitsgruppe' is the workgroup name, it should be
> > 'ARBEITSGRUPPE' in the 'idmap config' lines.
> 
> The output of testparm shows them lowercase, smb.conf has it in
> uppercase:
> 
> [global]
>         security = ADS
>         workgroup = ARBEITSGRUPPE
>         realm = arbeitsgruppe.hidden.tld
>         log file = /var/log/samba/%m.log
>         log level = 1
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
> 
>         idmap config ARBEITSGRUPPE:backend = ad
>         idmap config ARBEITSGRUPPE:range = 10000-9999999
>         idmap config ARBEITSGRUPPE:schema_mode = rfc2307
> 
>         username map = /etc/samba/user.map
> 
>         winbind use default domain = Yes
>         winbind refresh tickets = Yes
>         winbind nss info = rfc2307
> 
>         load printers = No
>         printcap name = /dev/null
> 
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
> 
> > The '*' range is used to store the Well Known SIDs and anything
> > outside the 'arbeitsgruppe' domain, 7999 IDs is more than enough
> > for this, in fact 999 IDs should have been enough, there are less
> > than 200 Well Known SIDs. 
> > Your 'arbeitsgruppe' domain members should fit into 9989999 IDs
> > 
> > I suspect that either your domain computers are not in fact domain
> > computers, or something is badly mis-configured.
> 
> Well, I come back here to ask how to do things and configure DC and DM
> for over a year now. We discussed the config in various threads and I
> always follow your suggestions and the docs as good as I can and
> understand.
> 
> Same this time. *I* don't know what is wrong or might be wrong.
> 
> You suggest the domain computers might not be what they should be:
> domain computers. You mean, the windows PCs might be not joined
> correctly?

There doesn't seem to anything really wrong with the smb.conf, unless
you are running a version of Samba from 4.6.0, see here for how to set
up idmap now:

https://wiki.samba.org/index.php/Idmap_config_ad

You can also find a list of Well Known SIDs here:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

It may be, for some reason, your windows clients are not joined, this
is unlikely, but worth checking.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba