I got it, so it must have been the problem .. Strange that changed it more than one month at least. Having these values now, how do you think I do? Leave it or change at least the idmap config * values: range? I understand the parameters: idmap config *: range = Range of the Ids are User system idmap config SERVERAD: range: DC User Range Thank you Em 13-07-2016 05:16, Rowland penny escreveu:> On 13/07/16 03:20, Carlos A. P. Cunha wrote: >> >> Can return old id, returning the old values (changed the most at >> least two months) >> >> idmap config *: backend = tdb >> idmap config *:range = 5000-16777216 >> idmap config SERVERAD: backend = rid >> idmap config SERVERAD: range = 5000-33554431 >> >> The error parrou also, but I think the fact that a group with the >> same ID / GID if the User to the fact that the idmap values be >> crossing, even so I changed them (mentioned above) >> >> Thank you >> >> > > Do not change the lower range value on a Samba fileserver once set, > you can raise the upper value, but there is a proviso, the ranges must > not overlap. This means your lines above are invalid, they both start > at '5000' and the entire '*' range is inside the 'SERVERAD' range. > > If you change the lower range and you are using the 'rid' backend, all > your IDs will change. > > Rowland >
On 13/07/16 13:33, Carlos A. P. Cunha wrote:> > I got it, so it must have been the problem .. > Strange that changed it more than one month at least. > Having these values now, how do you think I do? > Leave it or change at least the idmap config * values: range? > > I understand the parameters: > > idmap config *: range = Range of the Ids are User system > > idmap config SERVERAD: range: DC User Range > > Thank you > > > Em 13-07-2016 05:16, Rowland penny escreveu: >> On 13/07/16 03:20, Carlos A. P. Cunha wrote: >>> >>> Can return old id, returning the old values (changed the most at >>> least two months) >>> >>> idmap config *: backend = tdb >>> idmap config *:range = 5000-16777216 >>> idmap config SERVERAD: backend = rid >>> idmap config SERVERAD: range = 5000-33554431 >>> >>> The error parrou also, but I think the fact that a group with the >>> same ID / GID if the User to the fact that the idmap values be >>> crossing, even so I changed them (mentioned above) >>> >>> Thank you >>> >>> >> >> Do not change the lower range value on a Samba fileserver once set, >> you can raise the upper value, but there is a proviso, the ranges >> must not overlap. This means your lines above are invalid, they both >> start at '5000' and the entire '*' range is inside the 'SERVERAD' range. >> >> If you change the lower range and you are using the 'rid' backend, >> all your IDs will change. >> >> Rowland >> >OK, you need to find out just who owns what on your systems, if you find that something belongs to a number or to a user that it shouldn't, then you have problems. If you look on the Samba wiki page for setting up a domain member, you will find this for using the 'rid' backend: # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain SAMDOM idmap config SAMDOM:backend = rid idmap config SAMDOM:range = 10000-99999 The ranges were chosen for a reason, the '*' range '2000-9999' is large enough for any windows SID-RIDS that need mapping and leaves room below the range for any local Unix users that may be required. The domain range starts at '10000', this is also the standard start number if you use ADUC & the Unix Attributes tab. If needed, the range can be extended by raising '99999' to whatever is required, this can be done whenever required, just don't change '10000' If practicable, you could use the above ranges, but if it takes less work to keep the ranges you are using now, then stay with them, what I am trying to say is, go with whatever is easiest, just make sure that ranges do not overlap. Rowland
Thank you for the explanation. Yes, it was a mistake to leave my two faxias that way, by the ID exchange reason the low range will leave as it was to have no problems idmap config SERVERAD: range = 5000-33554431 The range of up'm thinking of changing to something idmap config *: range = 2000-4500 Not to be superimposed. But it will it not cause problem ids trading again? Since it was before both inciado in 50000 The procimo server will not make this mistake. Final doubt, I promise heheh :-D Thanks Em 13-07-2016 10:32, Rowland penny escreveu:> On 13/07/16 13:33, Carlos A. P. Cunha wrote: >> >> I got it, so it must have been the problem .. >> Strange that changed it more than one month at least. >> Having these values now, how do you think I do? >> Leave it or change at least the idmap config * values: range? >> >> I understand the parameters: >> >> idmap config *: range = Range of the Ids are User system >> >> idmap config SERVERAD: range: DC User Range >> >> Thank you >> >> >> Em 13-07-2016 05:16, Rowland penny escreveu: >>> On 13/07/16 03:20, Carlos A. P. Cunha wrote: >>>> >>>> Can return old id, returning the old values (changed the most at >>>> least two months) >>>> >>>> idmap config *: backend = tdb >>>> idmap config *:range = 5000-16777216 >>>> idmap config SERVERAD: backend = rid >>>> idmap config SERVERAD: range = 5000-33554431 >>>> >>>> The error parrou also, but I think the fact that a group with the >>>> same ID / GID if the User to the fact that the idmap values be >>>> crossing, even so I changed them (mentioned above) >>>> >>>> Thank you >>>> >>>> >>> >>> Do not change the lower range value on a Samba fileserver once set, >>> you can raise the upper value, but there is a proviso, the ranges >>> must not overlap. This means your lines above are invalid, they both >>> start at '5000' and the entire '*' range is inside the 'SERVERAD' range. >>> >>> If you change the lower range and you are using the 'rid' backend, >>> all your IDs will change. >>> >>> Rowland >>> >> > > OK, you need to find out just who owns what on your systems, if you > find that something belongs to a number or to a user that it > shouldn't, then you have problems. > > If you look on the Samba wiki page for setting up a domain member, you > will find this for using the 'rid' backend: > > # Default idmap config used for BUILTIN and local accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain SAMDOM > idmap config SAMDOM:backend = rid > idmap config SAMDOM:range = 10000-99999 > > The ranges were chosen for a reason, the '*' range '2000-9999' is > large enough for any windows SID-RIDS that need mapping and leaves > room below the range for any local Unix users that may be required. > The domain range starts at '10000', this is also the standard start > number if you use ADUC & the Unix Attributes tab. If needed, the range > can be extended by raising '99999' to whatever is required, this can > be done whenever required, just don't change '10000' > > If practicable, you could use the above ranges, but if it takes less > work to keep the ranges you are using now, then stay with them, what I > am trying to say is, go with whatever is easiest, just make sure that > ranges do not overlap. > > Rowland >