Web lists-archives.com

Re: [Samba] wbinfo -U id gives different users on same dc

On Tue, 13 Feb 2018 15:52:13 +0200
Özkan Göksu <ozkan.goksu@xxxxxxxxxx> wrote:

> Thank you for reply Rowland.
> Sorry for my typo. I intended to change  sm--to-->test but i forget to
> change other lines.
> So my original config is below:
>         workgroup = sm
> >         realm = sm.pvt
> >         server string = %h Test Host
> >         security = ads
> >         encrypt passwords = yes
> >         idmap config sm.pvt : backend = ad
> >         idmap config sm.pvt : range = 10000-20000
> >         idmap config sm.pvt : schema_mode = rfc2307
> >         idmap config * : range = 8000-9000
> Honestly I am not sure about using ads backend at all. I have read
> samba documents. As rid backend use local database and it may get
> corrupted, I chose ad backend.
> On the other hand I should not install any extensions on Windows
> Active Directory server. Samba documents tells something about
> installing unix extensions but as far as I see this is not a must for
> ads.
> So it would be best if someone could help me understanding about rid
> vs ads. I suspect my problem depends on it.

OK, if you cannot add anything to AD, then you cannot use the winbind
'ad' backend, so you will have to use the 'rid' backend.

The 'rid' backend does not use a local database, it use the AD
database. The users (or groups) ID is calculated from the AD objectsid,
this will be in the form:


The last portion is the RID '2130' and is unique in the domain, the
rest identifies the domain.

The winbind 'rid' calculates the ID from the RID and the lower range
you set in AD with this calculation:


BASE_RID is 0, so it is really:


So, using your lower range and the RID from above, it becomes

ID = 2130 + 10000

ID = 12130

If you use the same smb.conf on all Unix domain members in the domain,
you will always get the same Unix ID.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba