samba - Dec 2017 - GID range full!!

Am 2017-12-04 um 12:42 schrieb Rowland Penny:
> II take it that 'arbeitsgruppe' is the workgroup name, it should be
> 'ARBEITSGRUPPE' in the 'idmap config' lines.
The output of testparm shows them lowercase, smb.conf has it in uppercase:

[global]
        security = ADS
        workgroup = ARBEITSGRUPPE
        realm = arbeitsgruppe.hidden.tld
        log file = /var/log/samba/%m.log
        log level = 1

        idmap config * : backend = tdb
        idmap config * : range = 2000-9999

        idmap config ARBEITSGRUPPE:backend = ad
        idmap config ARBEITSGRUPPE:range = 10000-9999999
        idmap config ARBEITSGRUPPE:schema_mode = rfc2307

        username map = /etc/samba/user.map

        winbind use default domain = Yes
        winbind refresh tickets = Yes
        winbind nss info = rfc2307

        load printers = No
        printcap name = /dev/null

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
> The '*' range is used to store the Well Known SIDs and anything
outside
> the 'arbeitsgruppe' domain, 7999 IDs is more than enough for this,
in
> fact 999 IDs should have been enough, there are less than 200 Well
> Known SIDs. 
> Your 'arbeitsgruppe' domain members should fit into 9989999 IDs
> 
> I suspect that either your domain computers are not in fact domain
> computers, or something is badly mis-configured.
Well, I come back here to ask how to do things and configure DC and DM
for over a year now. We discussed the config in various threads and I
always follow your suggestions and the docs as good as I can and understand.

Same this time. *I* don't know what is wrong or might be wrong.

You suggest the domain computers might not be what they should be:
domain computers. You mean, the windows PCs might be not joined correctly?

On Mon, 4 Dec 2017 12:56:37 +0100
"Stefan G. Weichinger" <lists at xunil.at> wrote:
> Am 2017-12-04 um 12:42 schrieb Rowland Penny:
> 
> > II take it that 'arbeitsgruppe' is the workgroup name, it
should be
> > 'ARBEITSGRUPPE' in the 'idmap config' lines.
> 
> The output of testparm shows them lowercase, smb.conf has it in
> uppercase:
> 
> [global]
>         security = ADS
>         workgroup = ARBEITSGRUPPE
>         realm = arbeitsgruppe.hidden.tld
>         log file = /var/log/samba/%m.log
>         log level = 1
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
> 
>         idmap config ARBEITSGRUPPE:backend = ad
>         idmap config ARBEITSGRUPPE:range = 10000-9999999
>         idmap config ARBEITSGRUPPE:schema_mode = rfc2307
> 
>         username map = /etc/samba/user.map
> 
>         winbind use default domain = Yes
>         winbind refresh tickets = Yes
>         winbind nss info = rfc2307
> 
>         load printers = No
>         printcap name = /dev/null
> 
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
> 
> > The '*' range is used to store the Well Known SIDs and
anything
> > outside the 'arbeitsgruppe' domain, 7999 IDs is more than
enough
> > for this, in fact 999 IDs should have been enough, there are less
> > than 200 Well Known SIDs. 
> > Your 'arbeitsgruppe' domain members should fit into 9989999
IDs
> > 
> > I suspect that either your domain computers are not in fact domain
> > computers, or something is badly mis-configured.
> 
> Well, I come back here to ask how to do things and configure DC and DM
> for over a year now. We discussed the config in various threads and I
> always follow your suggestions and the docs as good as I can and
> understand.
> 
> Same this time. *I* don't know what is wrong or might be wrong.
> 
> You suggest the domain computers might not be what they should be:
> domain computers. You mean, the windows PCs might be not joined
> correctly?
There doesn't seem to anything really wrong with the smb.conf, unless
you are running a version of Samba from 4.6.0, see here for how to set
up idmap now:

https://wiki.samba.org/index.php/Idmap_config_ad

You can also find a list of Well Known SIDs here:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

It may be, for some reason, your windows clients are not joined, this
is unlikely, but worth checking.

Rowland

Am 2017-12-04 um 13:22 schrieb Rowland Penny via samba:
> There doesn't seem to anything really wrong with the smb.conf, unless
> you are running a version of Samba from 4.6.0, see here for how to set
> up idmap now:
> 
> https://wiki.samba.org/index.php/Idmap_config_ad
So that seems to hit it, we run 4.6.11 and still

winbind nss info = rfc2307

That has to be edited if I interpret correctly.

Is that a "dangerous" change? Should it be done with no users
connected
or with all daemons restarted after the change?

thanks, Stefan