Am 2017-06-22 um 10:44 schrieb Rowland Penny via samba:>> Can I fix that without breaking things? > > If your users have files stored on the domain members, probably not.I understand that this just creates the need to run some chown/chgrp-commands after correcting smb.conf and restarting samba?> Your 'idmap config' block on ALL Unix domain members needs to be > something like this: > > idmap config * : backend = tdb > idmap config *:range = 2000-9999 > idmap config domain : backend = rid > idmap config domain : range = 10000-99999I am never sure how to specify $domain in the 2nd two settings here. In this case the Domain is called ABC.XYZ and for example: # net ads info | grep Realm ABC.XYZ and in smb.conf workgroup = XYZ realm =ABC.XYZ and in krb5.conf default_realm = ABX.XYZ so is it -> idmap config XYZ : backend = rid or idmap config ABC.XYZ : backend = rid ?> Your samba versions are not new enough to use 'idmap config > mydomain:schema_mode = rfc2307' and you wouldn't use it with the 'rid' > backend.Yes. I just try to stay at the versions the stable repos give me ...> This is deprecated: 'idmap config domain : base_rid = 0' because '0' is > the default.ok> If you use something like the above on all Unix domain members, you > will always get the same IDs because the 'rid' backend calculates the > ID from the RID.looking forward to correct that, thanks!
On Thu, 22 Jun 2017 12:56:25 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2017-06-22 um 10:44 schrieb Rowland Penny via samba: > > >> Can I fix that without breaking things? > > > > If your users have files stored on the domain members, probably not. > > I understand that this just creates the need to run some > chown/chgrp-commands after correcting smb.conf and restarting samba?I suppose it boils down to your definition of 'breaking things' ;-) A user suddenly getting a new ID would be a breakage for me. Using chown will fix things.> > > Your 'idmap config' block on ALL Unix domain members needs to be > > something like this: > > > > idmap config * : backend = tdb > > idmap config *:range = 2000-9999 > > idmap config domain : backend = rid > > idmap config domain : range = 10000-99999 > > I am never sure how to specify $domain in the 2nd two settings here. > > In this case the Domain is called ABC.XYZ and for example:I think you may be confusing the DNS domain with the NETBios domain (which is also called 'WORKGROUP')> > > # net ads info | grep Realm > ABC.XYZ > > and in smb.conf > > workgroup = XYZ > realm =ABC.XYZ > > and in krb5.conf > > default_realm = ABX.XYZ > > so is it -> > > idmap config XYZ : backend = rid^^^ THIS ^^^> > or > > idmap config ABC.XYZ : backend = rid^^^ NEVER THIS ^^ Rowland
Am 2017-06-22 um 13:10 schrieb Rowland Penny via samba:> On Thu, 22 Jun 2017 12:56:25 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> Am 2017-06-22 um 10:44 schrieb Rowland Penny via samba: >> >>>> Can I fix that without breaking things? >>> >>> If your users have files stored on the domain members, probably not. >> >> I understand that this just creates the need to run some >> chown/chgrp-commands after correcting smb.conf and restarting samba? > > I suppose it boils down to your definition of 'breaking things' ;-) > A user suddenly getting a new ID would be a breakage for me. > Using chown will fix things.Adjusted settings on one server after stopping samba After a start (testparm OK) the output is still the same. Do I have to delete some local file or so to reforce new GIDs/UIDs? I now have: [global] realm = ABC.XYZ server string = samba08 workgroup = XYZ os level = 65 preferred master = No logon home logon path disable spoolss = Yes load printers = No printcap name = /dev/null dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab map to guest = Bad User map untrusted to domain = Yes security = ADS username map = /etc/samba/smbusers template shell = /bin/bash winbind enum groups = Yes winbind enum users = Yes winbind refresh tickets = Yes winbind use default domain = Yes idmap config lietz:schema_mode = rfc2307 idmap config lietz:range = 10000-99999 idmap config lietz:backend = rid idmap config *:range = 2000-9999 idmap config * : backend = tdb