Re: [Samba] idmap problems
- Date: Tue, 8 Jan 2019 08:42:40 +0000
- From: Rob Mason via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] idmap problems
Hi Rowland - I've spent the past few days going over the wiki and mailing lists. I think I've got the hang of idmaps. May I clarify a couple of things:
~ I have two DC's and one large fileserver (member). I'm using the 'ad' backend.
~ The only only windows group that needs a gidNumber attribute is Domain Users to map this across to the member server.
~ Other standard domain groups shouldn't be mapped across, especially Domain Admins(!) due to e.g. sysvol ownership
~ I may add my own domain user/group to the DC's and add uid/gid to the attributes (avoiding overlapping ranges between domains, and avoiding the standard xid 3000000 range for builtin accounts).
~ I use the idmap parameters in smb.conf on the member server to map the newly added users/groups across to the member server
I think this is correct and my domain seems healthy. All good!.
My one remaining question concerns examples presented in the wiki - they routinely use 'Domain Admin' as an example for aspects such as setting up shares and permissions. I think this is where I have become unstuck in the past. If I setup the domain as per my understanding, Domain Admins cannot be used as in the example given in https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs because its gid is not mapped (and should not typically be mapped).
You gave me some good alternative advice, which I have used in my new domain, to create new admin groups that are members of Domain Admins. These new admin groups are given gids, and all is good. But I can't help thinking that example in the wiki is mis-leading?? It seems that anyone who follows this example with a member server will experience the gid mapping issues...
BTW - just wanted to offer a huge thanks for helping me out with this.
To unsubscribe from this list go to the following URL and read the