Web lists-archives.com

Re: [Samba] idmap problems




On Wed, 2 Jan 2019 14:42:39 +0000
Rob Mason <rob@xxxxxxxxxxxx> wrote:

> Many thanks Rowland.  Yes, I don't understand idmaps, but I _think_
> I'm getting it. I have added the gid of 60002 for Domain Admins and
> undertaken some 'chgrp' tasks. I've now got a domain member with
> shares that presents the correct ownership. All looks good.
> 
> 
> 
> I'm still slightly confused why I have two ranges within my member
> smb.conf:
> 
> 
> 
> idmap config * : backend = tdb
> 
> idmap config * : range = 3000-29999       ========> reserved for
> BUILTIN ??? (and '3000000' range on the DC?)

Yes & no ;-)

The '*' domain is for the BUILTIN users & groups and anything outside
the 'DOMAIN' domain, it has nothing to do with the DC ID's

> 
> 
> idmap config SAMDOM:backend = ad
> 
> idmap config SAMDOM:schema_mode = rfc2307
> 
> idmap config SAMDOM:range = 30000-99999      ========> my uid/gid
> range for SAMDOM local domain accounts ???

Yes, where 'SAMDOM' is your AD domain.

> 
> 
> 
> If I only require the domain user/admin accounts, I don't understand
> the need for the first (BUILTIN?) range.
> 

You might think you only need the 'SAMDOM' domain, but AD also needs
the '*' domain.

I do hope you are not thinking of using GPO's, you have just stopped
Domain Admins from owning things in Sysvol.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba