On Thu, 27 Oct 2016 10:51:08 -0200 Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:> Wait, now I'm confused. Idmap lines do not need to be set up on the > DCs? Then how does windows figure's out the ids in the Unix > Attributes tab? I thought you needed both rfc2307 and idmap on the > DC and the members. > > >The DCs have idmap.ldb, this maps users and groups to xidNumbers in the '3000000' range, the only way to change these numbers on a DC, is to give your users & groups uidNumber & gidNumber attributes. I repeat, adding the 'idmap config' lines that are used on a domain member, to a DC, will not work. They do nothing, zilch, they are ignored, so do not add them. The 'Unix Attributes' tab uses the 'uidNumber' and 'gidNumber' attributes and these override the 'xidNumber' attributes that the DC uses by default. Rowland
Hi Rowland,
Just to let you know, we removed all the idmap entries we had on the
smb.conf of our
two DCs and the ids reported by getent passwd at the DCs were in the 3.000.000
range, as
you said. We had to add back 'idmap_ldb:use rfc2307 = yes' to get the
user listing with
the original numbers on the DCs.
Here's what we commented out on the configurationfiles.
# Default idmap config used for BUILTIN and local accounts/groups
#idmap config *:backend = ad
#idmap config *:range = 2000-9999
# idmap config for domain E-TRUST
#idmap config E-TRUST:backend = ad
#idmap config E-TRUST:schema_mode = rfc2307
#idmap config E-TRUST:range = 10000-40000
#idmap cache time = 1
#idmap negative cache time = 1
#winbind cache time = 1
idmap_ldb:use rfc2307 = yes
Regards,
Vinicius.
Em 27/10/2016 11:15, Rowland Penny via samba escreveu:> On Thu, 27 Oct 2016 10:51:08 -0200
> Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:
>
>> Wait, now I'm confused. Idmap lines do not need to be set up on the
>> DCs? Then how does windows figure's out the ids in the Unix
>> Attributes tab? I thought you needed both rfc2307 and idmap on the
>> DC and the members.
>>
>>
>>
> The DCs have idmap.ldb, this maps users and groups to xidNumbers in the
> '3000000' range, the only way to change these numbers on a DC, is
to
> give your users & groups uidNumber & gidNumber attributes.
>
> I repeat, adding the 'idmap config' lines that are used on a domain
> member, to a DC, will not work.
>
> They do nothing, zilch, they are ignored, so do not add them.
>
> The 'Unix Attributes' tab uses the 'uidNumber' and
'gidNumber'
> attributes and these override the 'xidNumber' attributes that the
DC
> uses by default.
>
> Rowland
>
--
Vinicius Silva
SOC
BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva
Smiley face
www.e-trust.com.br <http://www.e-trust.com.br/>
Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você
recebeu esta
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer
atitude com
base nestas informações. Solicitamos que você apague a mensagem imediatamente e
avise a
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões
ou
informações contidas nesta mensagem não necessariamente refletem a posição
oficial da
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser
confirmada
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.
This message may contain privileged and confidential information for the use of
the
intended recipients only. If you are not an intended recipient then you should
not
disseminate, copy, or take any action based on its contents. If you have
received this
message in error then please notify E-TRUST by sending an e-mail message to
suporte at e-trust.com.br immediately. Views and opinions expressed in this
message do not
necessarily reflect the position of E-TRUST. If this message is digitally
signed, its
authenticity can be confirmed by E-TRUST Private Certificate Authority,
available at
www.e-trust.com.br.
On Thu, 27 Oct 2016 17:23:43 -0200 Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:> Hi Rowland, > > Just to let you know, we removed all the idmap entries we had on > the smb.conf of our two DCs and the ids reported by getent passwd at > the DCs were in the 3.000.000 range, as you said. We had to add back > 'idmap_ldb:use rfc2307 = yes' to get the user listing with the > original numbers on the DCs. > > Here's what we commented out on the configurationfiles. > > # Default idmap config used for BUILTIN and local > accounts/groups #idmap config *:backend = ad > #idmap config *:range = 2000-9999 > > # idmap config for domain E-TRUST > #idmap config E-TRUST:backend = ad > #idmap config E-TRUST:schema_mode = rfc2307 > #idmap config E-TRUST:range = 10000-40000 > #idmap cache time = 1 > #idmap negative cache time = 1 > #winbind cache time = 1 > idmap_ldb:use rfc2307 = yes >Yes those are the lines you should only have on a domain member (aka fileserver, printserver). The only idmap line you should have on a DC is the 'idmap_ldb:use rfc2307 = yes' line, without this line, rfc2307 will not be used and unfortunately it is not added automatically to any DCs that are joined to the domain. Rowland
On Thu, 2016-10-27 at 17:23 -0200, Vinicius Bones Silva via samba wrote:> Hi Rowland, > > Just to let you know, we removed all the idmap entries we had on > the smb.conf of our > two DCs and the ids reported by getent passwd at the DCs were in the > 3.000.000 range, as > you said. We had to add back 'idmap_ldb:use rfc2307 = yes' to get the > user listing with > the original numbers on the DCs. > > Here's what we commented out on the configurationfiles. > > # Default idmap config used for BUILTIN and local > accounts/groups > #idmap config *:backend = ad > #idmap config *:range = 2000-9999 > > # idmap config for domain E-TRUST > #idmap config E-TRUST:backend = ad > #idmap config E-TRUST:schema_mode = rfc2307 > #idmap config E-TRUST:range = 10000-40000 > #idmap cache time = 1 > #idmap negative cache time = 1 > #winbind cache time = 1 > idmap_ldb:use rfc2307 = yes > > Regards, > Vinicius.Can you confirm that it still fails with that configuration? You may need to flush the caches. 'net cache flush'. I certainly can see how having those set would have broken things, because we now enforce the range if set whereas 4.4 just ignored them. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba