Web lists-archives.com

Re: [Samba] idmap problems


Hi Rowland - I've spent the past few days going over the wiki and mailing lists. I think I've got the hang of idmaps. May I clarify a couple of things:

~ I have two DC's and one large fileserver (member). I'm using the 'ad' backend.
~ The only only windows group that needs a gidNumber attribute is Domain Users to map this across to the member server.
~ Other standard domain groups shouldn't be mapped across, especially Domain Admins(!) due to e.g.  sysvol  ownership
~ I may add my own domain user/group to the DC's and add uid/gid to the attributes (avoiding overlapping ranges between domains, and avoiding the standard xid 3000000 range for builtin accounts).
~ I use the idmap parameters in smb.conf on the member server to map the newly added users/groups across to the member server

I think this is correct and my domain seems healthy. All good!.

My one remaining question concerns examples presented in the wiki - they routinely use 'Domain Admin' as an example for aspects such as setting up shares and permissions. I think this is where I have become unstuck in the past. If I setup the domain as per my understanding, Domain Admins cannot be used as in the example given in https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs because its gid is not mapped (and should not typically be mapped).

You gave me some good alternative advice, which I have used in my new domain, to create new admin groups that are members of Domain Admins. These new admin groups are given gids, and all is good. But I can't help thinking that example in the wiki is mis-leading?? It seems that anyone who follows this example with a member server will experience the gid mapping issues...

BTW - just wanted to offer a huge thanks for helping me out with this.

Rob Mason

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba