Web lists-archives.com

Re: [Samba] idmap limit?






Am 16.01.2018 um 17:26 schrieb Rowland Penny via samba:
On Tue, 16 Jan 2018 16:54:17 +0100
Andreas Hauffe via samba <samba@xxxxxxxxxxxxxxx> wrote:

Ok, you are completely right. Here are the real numbers with changed
user names:

drwx------ 43 DOM\user1        DOM\domain-user  4096 Jan 10 08:00
user1 drwx------   5 DOM\user2        DOM\domain-user  4096 Jan 11
08:13 user2 drwx------ 92 DOM\user3        DOM\domain-user   4096 Jan
16 08:39 user3 drwx------   3        133265        DOM\domain-user
4096 Sep  7 2015 user4 drwx------   7        470055
DOM\domain-user   4096 Apr 30 2013 user5 drwx------ 12 DOM\user6
        DOM\domain-user   4096 Jan  4 12:46 user6 drwx------ 51
DOM\user7        DOM\domain-user   4096 Jan 15 23:01 user7
drwx------   2          95092        DOM\domain-user   4096 Jul 1
2015 user8 drwx------  3 DOM\user9         DOM\domain-user   4096
Jun  8 2015 user9 ....
drwx------  7 DOM\user200    DOM\domain-user   4096 Nov  6  2012
user200

   > wbinfo --uid-info=133265
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 133265

   > wbinfo -i DOM\\user4
DOM\user4:*:133265:10513::/home/user4:/bin/bash

After the last command (wbinfo -i DOM\\user4) also "wbinfo
--uid-info=133265" shows the correct result and the "ls -l" list also
list the user name instead of the uid.


One thing I have spotted:

/etc/krb5.conf should be:

[libdefaults]
      default_realm = DOM2.DOM.TU-DRESDEN.DE
      dns_lookup_realm = false
      dns_lookup_kdc = true

What is 'DOM2' ?
Is it a trusted domain ?

As I said, you are using the 'rid' backend and adding users to AD
shouldn't affect how winbind works. Your user 'user4' must have the RID
'123265' and so should be available as a Unix user.

I take it that the Unix domain member is using the DC as its dnd
nameserver.

Rowland

Actually, it should be and is "DOM2.DOM.EXAMPLE.DE". And this domain (DOM2) is a subdomain of DOM.EXAMPLE.DE (bidirectional transitiv trust). At our university we have a parent domain "DOM.EXAMPLE.DE" were all the user accounts are hold/administered. Every department have a subdomain for their services. In our example case "DOM2.DOM.EXAMPLE.DE". The client and so the member server are member of "DOM2.DOM.EXAMPLE.DE". But most of the users are from "DOM.EXAMPLE.DE".

And I checked, the RID of the user4 is 123265.

Yes, the DC (actually both DCs) is the dns of the unix member server.

--
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe@xxxxxxxxxxxxx
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba