Web lists-archives.com

Re: [Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares

On Fri, 2 Mar 2018 14:32:15 +1100
Norman Gaywood <ngaywood@xxxxxxxxxx> wrote:

> On 1 March 2018 at 18:49, Rowland Penny <rpenny@xxxxxxxxx> wrote:
> >
> > > idmap range not specified for domain '*'
> > > ERROR: Invalid idmap range for domain *!
> > >
> >
> > You haven't set the 'idmap config' lines correctly, which may mean
> > you are using sssd instead. If this is the case, then you are
> > asking in the wrong place, you need to ask on the sssd-users
> > mailing list.
> >
> After reading a lot about idmap conf and idmap backends, I'm thinking
> that what I've been doing is not expressible with idmap.
> What I need is what is described, much better than I did, here:
>  https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP
> That is:
> Samba will authenticate against AD, and then utilize the normal
> 'getent' system calls to gather the uid/gid numbers, and those will
> come from OpenLDAP, and/or the local system files as configured
> within the nsswitch.conf file.
> Is this type of setup still possible?

Your Samba machine can be a Unix active directory domain member or it
can be a member of an NT4-style domain that uses ldap, it cannot be
It can also authenticate from an ldap server on another machine, in
this case, it wouldn't be a domain member.
It should be possible to authenticate to the ldap server (or AD), but
you are getting into a bit of a mess here. Your users will need to
exist (separately) everywhere.  

I think you should consider just joining the Samba machine to the AD
domain and use the 'rid' backend. This way, your users & groups are
only stored in one place and you do not need to add anything to AD.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba