Good to hear I was correct about all members having same ranges. Now, I have had this idmap sequence order for years in my smb.conf files and have copy pasted always moving forward. Sorry if I am misunderstanding you but, your saying invert them, listing the SAMDOM first followed by the "*"? like this example? idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-40000 idmap config * : backend = tdb idmap config * : range = 50001-80000 On Sun, Sep 23, 2018 at 2:27 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 23 Sep 2018 14:10:59 -0500 > Robert Wooden via samba <samba at lists.samba.org> wrote: > > > When there are multiple (two in my case) member servers on the same > > domain, should the following be the same values across all member > > servers? > > > > idmap config * : backend = tdb > > idmap config * : range = 50001-80000 << same value on all member > > servers > > idmap config SAMDOM : backend = rid << same value on all member > > servers > > idmap config SAMDOM : range = 10000-40000 << same value on all > > member servers > > > > As I read the wiki pages, I believe I am understanding this correctly? > > > > It wouldn't matter if there were 222 Unix domain members, as long as you > use exactly the same smb.conf on all of them, you will get the same > ID's on all of them (hint, do not set 'netbios name' in any of them). > > I know most examples show setting the '*' domain above the 'DOMAIN', > but there is a problem with this, what happens when you get to (in your > case) user 50001 ?? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Thank you. Bob Wooden
On Sun, 23 Sep 2018 15:31:06 -0500 Robert Wooden via samba <samba at lists.samba.org> wrote:> Good to hear I was correct about all members having same ranges. > > Now, I have had this idmap sequence order for years in my smb.conf > files and have copy pasted always moving forward. > > Sorry if I am misunderstanding you but, your saying invert them, > listing the SAMDOM first followed by the "*"? > > like this example? > > idmap config SAMDOM : backend = rid > idmap config SAMDOM : range = 10000-40000 > idmap config * : backend = tdb > idmap config * : range = 50001-80000 >Er, no, you are stuck with the above on an existing Unix domain member, but on new Unix domain members I would use this: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-80000 The '*' domain is for the 'Well Know SIDs' and anything outside of the 'SAMDOM' domain and there are less than 200 'Well Known SIDs', so 4999 ID's should be more than enough. When it comes to the 'SAMDOM' domain, if you do reach the user ID '80001', this wouldn't be a problem with my suggested lines, just change the '80000' to '90000'. If the '*' domain is above the 'SAMDOM' domain, then you are limited to the difference between the high number for the 'SAMDOM' range and the low number for the '*' range. In your case '40000' and '50001', for most people this might not be a problem, but for some, it would be a big problem. Rowland
Rowland, Sorry, now I am really confused . . . I thought users were suppose to maintain the same ranges on all the member servers? My ranges came from the v4.1 days when I was running Sernet version (before they moved to a pay for model.) I trying to join a linux workstation to my domain (if that makes a difference.) On Sun, Sep 23, 2018 at 4:01 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 23 Sep 2018 15:31:06 -0500 > Robert Wooden via samba <samba at lists.samba.org> wrote: > > > Good to hear I was correct about all members having same ranges. > > > > Now, I have had this idmap sequence order for years in my smb.conf > > files and have copy pasted always moving forward. > > > > Sorry if I am misunderstanding you but, your saying invert them, > > listing the SAMDOM first followed by the "*"? > > > > like this example? > > > > idmap config SAMDOM : backend = rid > > idmap config SAMDOM : range = 10000-40000 > > idmap config * : backend = tdb > > idmap config * : range = 50001-80000 > > > > Er, no, you are stuck with the above on an existing Unix > domain member, but on new Unix domain members I would use this: > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config SAMDOM : backend = rid > idmap config SAMDOM : range = 10000-80000 > > The '*' domain is for the 'Well Know SIDs' and anything outside of the > 'SAMDOM' domain and there are less than 200 'Well Known SIDs', so 4999 > ID's should be more than enough. > When it comes to the 'SAMDOM' domain, if you do reach the user ID > '80001', this wouldn't be a problem with my suggested lines, just > change the '80000' to '90000'. If the '*' domain is above the 'SAMDOM' > domain, then you are limited to the difference between the high number > for the 'SAMDOM' range and the low number for the '*' range. In your > case '40000' and '50001', for most people this might not be a problem, > but for some, it would be a big problem. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Thank you. Bob Wooden