Re: [Samba] idmap problems
- Date: Tue, 8 Jan 2019 10:10:27 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] idmap problems
On Tue, 8 Jan 2019 08:42:40 +0000
Rob Mason <rob@xxxxxxxxxxxx> wrote:
> Hi Rowland - I've spent the past few days going over the wiki and
> mailing lists. I think I've got the hang of idmaps. May I clarify a
> couple of things:
> ~ I have two DC's and one large fileserver (member). I'm using the
> 'ad' backend. ~ The only only windows group that needs a gidNumber
> attribute is Domain Users to map this across to the member server. ~
> Other standard domain groups shouldn't be mapped across, especially
> Domain Admins(!) due to e.g. sysvol ownership ~
There is absolutely no need to give any windows user or group a
uidNumber or gidNumber, unless you want them to be also a Unix user or
group. None of the 'Well Know SIDs' needs to be a Unix user or group.
>I may add my own domain user/group to the DC's and add uid/gid to the attributes
> (avoiding overlapping ranges between domains, and avoiding the
> standard xid 3000000 range for builtin accounts).
Yes, as I said above, adding a uidNumber or gidNumber to a Windows user
or group turns them into a Unix user or group, provided you use the
'ad' backend on Unix domain members.
>~ I use the idmap parameters in smb.conf on the member server to map
> the newly added users/groups across to the member server
> I think this is correct and my domain seems healthy. All good!.
> My one remaining question concerns examples presented in the wiki -
> they routinely use 'Domain Admin' as an example for aspects such as
> setting up shares and permissions. I think this is where I have
> become unstuck in the past. If I setup the domain as per my
> understanding, Domain Admins cannot be used as in the example given
> because its gid is not mapped (and should not typically be mapped).
I didn't write that and it is from experiments in trying to fix
sysvolreset that lead me to the conclusion that giving Domain Admins a
gidNumber was a BAD idea, it just turned it into a group and a group
cannot own things on Unix.
> You gave me some good alternative advice, which I have used in my new
> domain, to create new admin groups that are members of Domain Admins.
> These new admin groups are given gids, and all is good. But I can't
> help thinking that example in the wiki is mis-leading?? It seems that
> anyone who follows this example with a member server will experience
> the gid mapping issues...
I will fix the wiki, as soon as I can
To unsubscribe from this list go to the following URL and read the