Re: [Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
- Date: Fri, 2 Mar 2018 09:37:03 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
On Fri, 2 Mar 2018 14:32:15 +1100
Norman Gaywood <ngaywood@xxxxxxxxxx> wrote:
> On 1 March 2018 at 18:49, Rowland Penny <rpenny@xxxxxxxxx> wrote:
> > > idmap range not specified for domain '*'
> > > ERROR: Invalid idmap range for domain *!
> > >
> > You haven't set the 'idmap config' lines correctly, which may mean
> > you are using sssd instead. If this is the case, then you are
> > asking in the wrong place, you need to ask on the sssd-users
> > mailing list.
> After reading a lot about idmap conf and idmap backends, I'm thinking
> that what I've been doing is not expressible with idmap.
> What I need is what is described, much better than I did, here:
> That is:
> Samba will authenticate against AD, and then utilize the normal
> 'getent' system calls to gather the uid/gid numbers, and those will
> come from OpenLDAP, and/or the local system files as configured
> within the nsswitch.conf file.
> Is this type of setup still possible?
Your Samba machine can be a Unix active directory domain member or it
can be a member of an NT4-style domain that uses ldap, it cannot be
It can also authenticate from an ldap server on another machine, in
this case, it wouldn't be a domain member.
It should be possible to authenticate to the ldap server (or AD), but
you are getting into a bit of a mess here. Your users will need to
exist (separately) everywhere.
I think you should consider just joining the Samba machine to the AD
domain and use the 'rid' backend. This way, your users & groups are
only stored in one place and you do not need to add anything to AD.
To unsubscribe from this list go to the following URL and read the