[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
- Date: Fri, 12 Jan 2018 14:23:36 +0100
- From: Prunk Dump via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
Hi Samba team !
I have some conflicts between uid stored in the rfc2307 attributes and
some local uid from idmap.ldb
My network :
I have three samba AD DC with sysvol replication. Sadly, as I don't
have some other machines, the three DC also share my user's Home and
Profile directories. So I need at least :
-> Builtin User/Group ID mapping between DCs (easy)
-> Domain User/Group ID mapping between DCs
-> Computer IDs that does not conflicts with the other ID
(computer accounts are not used on the shares)
How I currenly do :
I don't use ADUC. So to create a new user :
-> I use the samba-tool command always on the same DC (say DC1).
-> One local xidNumber is generated in idmap.ldb
-> So I take the xidNumber and I put it in the rfc2307 uidNumber attribute.
I do the same manner for creatings groups.
The problem come with the computer accounts of Windows machine.
Because as the accounts are created from clients, I have no control on
the ID generation.
How the problem appear :
-> I create a user "myuser" on DC1.
-> A local xidNumber = 3000025 (for example) is created locally and
copied to the rfc2307 attributes.
-> On the others DCs, there is no local xidNumber for "myuser" because
the rfc2307 attribute is already set.
-> Next I join a new Windows computer on the Domain.
-> On DC1, no problem, the local xidNumber prevent conflict with the
new created machine local ID
-> But on DC2, sometimes, a local xidNumber of 3000025 (like myuser)
is allocated for the new computer and myuser lost sometimes the access
to the shares ( sometimes winbind say that the files are owned by
"myuser", sometimes it say that they are owned by the machine).
Is there a way to say to Samba to use different ranges for user/group
xidNumber and computer xidNumber ?
Does someone have an idea how to solve my problem ?
To unsubscribe from this list go to the following URL and read the