Re: [Samba] idmap problems
- Date: Wed, 2 Jan 2019 15:12:05 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] idmap problems
On Wed, 2 Jan 2019 14:42:39 +0000
Rob Mason <rob@xxxxxxxxxxxx> wrote:
> Many thanks Rowland. Yes, I don't understand idmaps, but I _think_
> I'm getting it. I have added the gid of 60002 for Domain Admins and
> undertaken some 'chgrp' tasks. I've now got a domain member with
> shares that presents the correct ownership. All looks good.
> I'm still slightly confused why I have two ranges within my member
> idmap config * : backend = tdb
> idmap config * : range = 3000-29999 ========> reserved for
> BUILTIN ??? (and '3000000' range on the DC?)
Yes & no ;-)
The '*' domain is for the BUILTIN users & groups and anything outside
the 'DOMAIN' domain, it has nothing to do with the DC ID's
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 30000-99999 ========> my uid/gid
> range for SAMDOM local domain accounts ???
Yes, where 'SAMDOM' is your AD domain.
> If I only require the domain user/admin accounts, I don't understand
> the need for the first (BUILTIN?) range.
You might think you only need the 'SAMDOM' domain, but AD also needs
the '*' domain.
I do hope you are not thinking of using GPO's, you have just stopped
Domain Admins from owning things in Sysvol.
To unsubscribe from this list go to the following URL and read the