Rowland, Sorry, now I am really confused . . . I thought users were suppose to maintain the same ranges on all the member servers? My ranges came from the v4.1 days when I was running Sernet version (before they moved to a pay for model.) I trying to join a linux workstation to my domain (if that makes a difference.) On Sun, Sep 23, 2018 at 4:01 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 23 Sep 2018 15:31:06 -0500 > Robert Wooden via samba <samba at lists.samba.org> wrote: > > > Good to hear I was correct about all members having same ranges. > > > > Now, I have had this idmap sequence order for years in my smb.conf > > files and have copy pasted always moving forward. > > > > Sorry if I am misunderstanding you but, your saying invert them, > > listing the SAMDOM first followed by the "*"? > > > > like this example? > > > > idmap config SAMDOM : backend = rid > > idmap config SAMDOM : range = 10000-40000 > > idmap config * : backend = tdb > > idmap config * : range = 50001-80000 > > > > Er, no, you are stuck with the above on an existing Unix > domain member, but on new Unix domain members I would use this: > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config SAMDOM : backend = rid > idmap config SAMDOM : range = 10000-80000 > > The '*' domain is for the 'Well Know SIDs' and anything outside of the > 'SAMDOM' domain and there are less than 200 'Well Known SIDs', so 4999 > ID's should be more than enough. > When it comes to the 'SAMDOM' domain, if you do reach the user ID > '80001', this wouldn't be a problem with my suggested lines, just > change the '80000' to '90000'. If the '*' domain is above the 'SAMDOM' > domain, then you are limited to the difference between the high number > for the 'SAMDOM' range and the low number for the '*' range. In your > case '40000' and '50001', for most people this might not be a problem, > but for some, it would be a big problem. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Thank you. Bob Wooden
On Tue, 25 Sep 2018 06:31:46 -0500 Robert Wooden <bob at donelsontrophy.com> wrote:> Rowland, > > Sorry, now I am really confused . . . I thought users were suppose to > maintain the same ranges on all the member servers?Sorry, it wasn't my intention to confuse you ;-) Lets start with, never change the ranges on an existing Unix domain member, unless you are just raising the upper number in the 'Domain' range e.g. Change: idmap config SAMDOM : range = 10000-40000 To: idmap config SAMDOM : range = 10000-50000 If you use the 'ad' backend, then you MUST use the same 'idmap config' block on all Unix domain members. If you use the 'rid' backend, then the numeric ID's are local and can be different on each Unix domain member. You must remember that the 'rid' backend calculates user & group ID's from the Windows RID and every 'ID' will be unique If you set up a new 'rid' based Unix domain member, you can use the 'idmap config' I suggested and you will be able to copy files from this domain member to one of your older domain members and the ownership will remain the same. I hope this clears up the confusing, if not, just ask. Rowland
So, one question at a time.
Best practice would be for all the member servers to be the same "ad"
or
"rid" setting?
Second question. (You mentioned new to old.)
If moving data files *from* old ("ad") member server to new
("rid") member
server with ranges as you suggested would correct my strange ranges?
On Tue, Sep 25, 2018 at 7:15 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 25 Sep 2018 06:31:46 -0500
> Robert Wooden <bob at donelsontrophy.com> wrote:
>
> > Rowland,
> >
> > Sorry, now I am really confused . . . I thought users were suppose to
> > maintain the same ranges on all the member servers?
>
> Sorry, it wasn't my intention to confuse you ;-)
>
> Lets start with, never change the ranges on an existing Unix domain
> member, unless you are just raising the upper number in the
'Domain'
> range e.g.
>
> Change:
>
> idmap config SAMDOM : range = 10000-40000
>
> To:
>
> idmap config SAMDOM : range = 10000-50000
>
> If you use the 'ad' backend, then you MUST use the same 'idmap
config'
> block on all Unix domain members.
>
> If you use the 'rid' backend, then the numeric ID's are local
and can
> be different on each Unix domain member. You must remember that the
> 'rid' backend calculates user & group ID's from the Windows
RID and
> every 'ID' will be unique
>
> If you set up a new 'rid' based Unix domain member, you can use the
> 'idmap config' I suggested and you will be able to copy files from
> this domain member to one of your older domain members and the
> ownership will remain the same.
>
> I hope this clears up the confusing, if not, just ask.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Thank you.
Bob Wooden