On Wed, 2022-03-23 at 11:23 +0100, Stefan G. Weichinger via samba
wrote:> greetings, it's been a long time since I posted here.
>
> So far everything went smooth regarding my samba domains.
>
> today I wanted to edit a GPO and get errors in RSAT ("wrong
> parameter").
> Checked sysvol ACLs, something is wrong.
>
> "sysvolreset" takes a long time and always says:
>
> idmap range not specified for domain '*'
You can ignore that on a DC, it only matters on a Unix domain member.
>
> -
>
> hmm. Correct. My smb.conf on that DC (4.14.12):
>
> # samba-tool testparm
> INFO 2022-03-23 11:22:14,074 pid:3766171
> /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded
> smb
> config files from /etc/samba/smb.conf
> INFO 2022-03-23 11:22:14,074 pid:3766171
> /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: Loaded
> services file OK.
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> disable spoolss = Yes
> dns forwarder = 192.168.16.111
> log level = 1
> netbios name = DC2
> printcap name = /dev/null
> realm = MYDOM.AT
> server role = active directory domain controller
> template shell = /bin/bash
> time server = Yes
> usershare path > winbind offline logon = Yes
> workgroup = BUERO
> sdb:schema update allowed = no
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/pilsbacher.at/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> --
Apart from some parameters that you don't need, there is nothing wrong
there.
>
> What do I set idmap range to while NOT breaking the existing
> users/groups?
Nothing, you do not need to add anything.
>
> Will that help me to get correct ACL editing perms again?
No, you seem to have another problem. Is this a DC that doesn't hold
the PDC_Emulator FSMO role ? If so, have you synced Sysvol and
idmap.ldb from the PDC_Emulator DC ?
Rowland