Hello, Using Ubuntu 12.04 with Samba 4.1.11. I'm currently redirecting windows folders to a Samba DC. This DC is not the one that was deployed first. Based on discussions from another thread I copied the idmap.ldb from the initial DC to the others that are deployed. I noticed upon doing so the file permissions on the shares were broken. As in existing users were unable to see their documents or make modifications to them. I deleted them from the ACL list and reapplied their appropriate permissions. This corrected that issue. I also noticed that an issue I had with applying GPO's to users at remote sites was now working again after making this change. With all that being said. I was under the impressions that I only needed to add idmap configurations to my smb.conf if I was using a member server to handle shares from linux/unix users or workstations. I appear to be wrong? Thanks for any assistance. -- -James
Rowland Penny
2014-Oct-15 15:51 UTC
[Samba] idmap configuration after initial deployment needed?
On 15/10/14 16:24, James wrote:> Hello, > > Using Ubuntu 12.04 with Samba 4.1.11. I'm currently redirecting > windows folders to a Samba DC. This DC is not the one that was > deployed first. Based on discussions from another thread I copied the > idmap.ldb from the initial DC to the others that are deployed. I > noticed upon doing so the file permissions on the shares were broken. > As in existing users were unable to see their documents or make > modifications to them. I deleted them from the ACL list and reapplied > their appropriate permissions. This corrected that issue. > > I also noticed that an issue I had with applying GPO's to users at > remote sites was now working again after making this change. With all > that being said. I was under the impressions that I only needed to add > idmap configurations to my smb.conf if I was using a member server to > handle shares from linux/unix users or workstations. I appear to be > wrong? Thanks for any assistance. >The problem starts with what microsoft calls 'Well-known security identifiers', these are mapped on the DC to xidNumbers, now where ever you go in AD, on a windows machine 'S-1-5-32-544' is the Administrators group, but as I said, on the DC this is mapped to an xidNumber, only problem is that you do not seem to get the same xidNumber on every samba4 DC, this is why idmap.ldb needs to copied from the first DC. There was some talk about mapping these SID's to a set group of numbers, but that is as far as it got, the problem being just what numbers to map them to or how to map them so that samba admins could choose the starting base. Rowland