Observation: 2 sambas, ADS-member servers one is Debian, samba-4.2.14 2nd is Gentoo, samba-4.5.10 1) winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes idmap config mydomain:schema_mode = rfc2307 idmap config mydomain:range = 10000-99999 idmap config mydomain:backend = rid idmap config *:range = 2000-9999 idmap config * : backend = tdb # wbinfo --group-info=domänen-benutzer domänen-benutzer:x:10513: 2) winbind use default domain = Yes idmap config * : range = 10001-20000 idmap config domain : backend = rid idmap config domain : range = 10000-20000 idmap config domain : base_rid = 0 idmap config * : backend = tdb # wbinfo --group-info=domänen-benutzer domänen-benutzer:x:10008: I understand/assume that the different idmap configs might cause the mismatch in the mapped(?) groupids. Can I fix that without breaking things? On which server? ... oh my, I checked a 3rd one for reference: # wbinfo --group-info=domänen-benutzer domänen-benutzer:x:10027: :-(
On Thu, 22 Jun 2017 10:12:41 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> 1) > > idmap config mydomain:schema_mode = rfc2307 > idmap config mydomain:range = 10000-99999 > idmap config mydomain:backend = rid > idmap config *:range = 2000-9999 > idmap config * : backend = tdb > > # wbinfo --group-info=domänen-benutzer > domänen-benutzer:x:10513: > > 2) > > idmap config * : range = 10001-20000 > idmap config domain : backend = rid > idmap config domain : range = 10000-20000 > idmap config domain : base_rid = 0 > idmap config * : backend = tdb > > # wbinfo --group-info=domänen-benutzer > domänen-benutzer:x:10008: > > > I understand/assume that the different idmap configs might cause the > mismatch in the mapped(?) groupids.Oh definitely> > Can I fix that without breaking things?If your users have files stored on the domain members, probably not.> > On which server? >Both ! Your 'idmap config' block on ALL Unix domain members needs to be something like this: idmap config * : backend = tdb idmap config *:range = 2000-9999 idmap config domain : backend = rid idmap config domain : range = 10000-99999 Your samba versions are not new enough to use 'idmap config mydomain:schema_mode = rfc2307' and you wouldn't use it with the 'rid' backend. This is deprecated: 'idmap config domain : base_rid = 0' because '0' is the default. If you use something like the above on all Unix domain members, you will always get the same IDs because the 'rid' backend calculates the ID from the RID. Rowland
Am 2017-06-22 um 10:44 schrieb Rowland Penny via samba:>> Can I fix that without breaking things? > > If your users have files stored on the domain members, probably not.I understand that this just creates the need to run some chown/chgrp-commands after correcting smb.conf and restarting samba?> Your 'idmap config' block on ALL Unix domain members needs to be > something like this: > > idmap config * : backend = tdb > idmap config *:range = 2000-9999 > idmap config domain : backend = rid > idmap config domain : range = 10000-99999I am never sure how to specify $domain in the 2nd two settings here. In this case the Domain is called ABC.XYZ and for example: # net ads info | grep Realm ABC.XYZ and in smb.conf workgroup = XYZ realm =ABC.XYZ and in krb5.conf default_realm = ABX.XYZ so is it -> idmap config XYZ : backend = rid or idmap config ABC.XYZ : backend = rid ?> Your samba versions are not new enough to use 'idmap config > mydomain:schema_mode = rfc2307' and you wouldn't use it with the 'rid' > backend.Yes. I just try to stay at the versions the stable repos give me ...> This is deprecated: 'idmap config domain : base_rid = 0' because '0' is > the default.ok> If you use something like the above on all Unix domain members, you > will always get the same IDs because the 'rid' backend calculates the > ID from the RID.looking forward to correct that, thanks!
Am 2017-06-22 um 10:44 schrieb Rowland Penny via samba:> On Thu, 22 Jun 2017 10:12:41 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> 1) >> >> idmap config mydomain:schema_mode = rfc2307 >> idmap config mydomain:range = 10000-99999 >> idmap config mydomain:backend = rid >> idmap config *:range = 2000-9999 >> idmap config * : backend = tdb> Your 'idmap config' block on ALL Unix domain members needs to be > something like this: > > idmap config * : backend = tdb > idmap config *:range = 2000-9999 > idmap config domain : backend = rid > idmap config domain : range = 10000-99999 > > Your samba versions are not new enough to use 'idmap config > mydomain:schema_mode = rfc2307' and you wouldn't use it with the 'rid' > backend.So server 1) is OK already, aside from the 'idmap config mydomain:schema_mode = rfc2307' which should be removed then, right? this would be the base then and that is bood as it is a much larger server with many shares etc -> I would prefer not to have to chown much there. The other sambas are for smaller departments etc : easier to fix, I assume. thanks