Web lists-archives.com

Re: [Samba] idmap limit?

Am 16.01.2018 um 17:26 schrieb Rowland Penny via samba:
On Tue, 16 Jan 2018 16:54:17 +0100
Andreas Hauffe via samba <samba@xxxxxxxxxxxxxxx> wrote:

Ok, you are completely right. Here are the real numbers with changed
user names:

drwx------ 43 DOM\user1        DOM\domain-user  4096 Jan 10 08:00
user1 drwx------   5 DOM\user2        DOM\domain-user  4096 Jan 11
08:13 user2 drwx------ 92 DOM\user3        DOM\domain-user   4096 Jan
16 08:39 user3 drwx------   3        133265        DOM\domain-user
4096 Sep  7 2015 user4 drwx------   7        470055
DOM\domain-user   4096 Apr 30 2013 user5 drwx------ 12 DOM\user6
        DOM\domain-user   4096 Jan  4 12:46 user6 drwx------ 51
DOM\user7        DOM\domain-user   4096 Jan 15 23:01 user7
drwx------   2          95092        DOM\domain-user   4096 Jul 1
2015 user8 drwx------  3 DOM\user9         DOM\domain-user   4096
Jun  8 2015 user9 ....
drwx------  7 DOM\user200    DOM\domain-user   4096 Nov  6  2012

   > wbinfo --uid-info=133265
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 133265

   > wbinfo -i DOM\\user4

After the last command (wbinfo -i DOM\\user4) also "wbinfo
--uid-info=133265" shows the correct result and the "ls -l" list also
list the user name instead of the uid.

One thing I have spotted:

/etc/krb5.conf should be:

      default_realm = DOM2.DOM.TU-DRESDEN.DE
      dns_lookup_realm = false
      dns_lookup_kdc = true

What is 'DOM2' ?
Is it a trusted domain ?

As I said, you are using the 'rid' backend and adding users to AD
shouldn't affect how winbind works. Your user 'user4' must have the RID
'123265' and so should be available as a Unix user.

I take it that the Unix domain member is using the DC as its dnd


Actually, it should be and is "DOM2.DOM.EXAMPLE.DE". And this domain (DOM2) is a subdomain of DOM.EXAMPLE.DE (bidirectional transitiv trust). At our university we have a parent domain "DOM.EXAMPLE.DE" were all the user accounts are hold/administered. Every department have a subdomain for their services. In our example case "DOM2.DOM.EXAMPLE.DE". The client and so the member server are member of "DOM2.DOM.EXAMPLE.DE". But most of the users are from "DOM.EXAMPLE.DE".

And I checked, the RID of the user4 is 123265.

Yes, the DC (actually both DCs) is the dns of the unix member server.

Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe@xxxxxxxxxxxxx
Website : http://tu-dresden.de/mw/ilr/lft
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba