On Tue, Jun 30, 2020 at 11:24 AM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 30/06/2020 09:50, Anders ?stling wrote: > > >> You have 'workgroup = HPLTS' and 'idmap config dg11', again, they must match > > As I wrote in the previous reply, that was a mistake from the initial > > deployment. However, I have a copy of the VM and when I corrected DG11 > > to HLPTS and restarted the services, this happes: > > > > getent group "Oldgroup" returns a value in the 10000 range (as > > specified in the idmap config * statement). > If 'oldgroup' isn't in the the 'HLPTS' domain, this is to be expected. > > I now created a new group in the domain, and expected to get a value > > in the range 30000 (as specified in the idmap config HPTLS statement). > You should. > > Again, I probably don't understand the different backends (tdb vs rid) > > functions enough. > The default domain '*' uses tdb and is an allocating db, the 'rid' > backend for your HPTLS domain uses the AD objects RID to calculate the > Unix ID. > > The new group was given a id of 10032, so it seems > > as if the * statement still is the used range. Is this expected > > behaviour? > No, it isn't, if the group exists in AD and the AD domain name is > 'HPTLS' , from what you have posted, I would expect the Unix ID to start > with a '3'. Have you run 'net cache flush' ?I did this on the test system but cant see any difference. Both the old and newly created groups have id's in the 10000 range. WHAT IF: I remove the server from the domain Delete the tlb and ldb databases Correct the idmap statements as recommended Rejoin the domain I assume that all accounts and groups will get new id's in the 30000-range. Do I need to re-apply all folder and file permissions from the Windows server to get them correctly mapped? Thank you for your patience! Anders> > In the meantime, I will try to read up on the backend's and > > get a better understanding. > > tdb is only used for the '*' domain, ID's start from the lower number > you set in smb.conf > > rid is used for the DOMAIN domain (HPTLS in your case), ID's are > calculated by adding the objects rid to the lower number you set in > smb.conf. For instance Domain Users ID will be 30000 + 513 = 30513 > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- ----------------------------------------------------------------------------------------------------------------------- This signature contains 100% recyclable electrons as prescribed by Mother Nature Anders ?stling +46 768 716 165 (Mobil) +46 431 45 56 01 (Hem)
On 30/06/2020 10:34, Anders ?stling wrote:> On Tue, Jun 30, 2020 at 11:24 AM Rowland penny via samba > <samba at lists.samba.org> wrote: >> On 30/06/2020 09:50, Anders ?stling wrote: >> >>>> You have 'workgroup = HPLTS' and 'idmap config dg11', again, they must match >>> As I wrote in the previous reply, that was a mistake from the initial >>> deployment. However, I have a copy of the VM and when I corrected DG11 >>> to HLPTS and restarted the services, this happes: >>> >>> getent group "Oldgroup" returns a value in the 10000 range (as >>> specified in the idmap config * statement). >> If 'oldgroup' isn't in the the 'HLPTS' domain, this is to be expected. >>> I now created a new group in the domain, and expected to get a value >>> in the range 30000 (as specified in the idmap config HPTLS statement). >> You should. >>> Again, I probably don't understand the different backends (tdb vs rid) >>> functions enough. >> The default domain '*' uses tdb and is an allocating db, the 'rid' >> backend for your HPTLS domain uses the AD objects RID to calculate the >> Unix ID. >>> The new group was given a id of 10032, so it seems >>> as if the * statement still is the used range. Is this expected >>> behaviour? >> No, it isn't, if the group exists in AD and the AD domain name is >> 'HPTLS' , from what you have posted, I would expect the Unix ID to start >> with a '3'. Have you run 'net cache flush' ? > I did this on the test system but cant see any difference. Both the > old and newly created groups have id's in the 10000 range. > > WHAT IF: > I remove the server from the domain > Delete the tlb and ldb databases > Correct the idmap statements as recommended > Rejoin the domainYou could try that, but you shouldn't have to ;-) If a user exists in AD and has the RID '1107' and you have this in smb.conf: ??????? idmap config * : backend = tdb ??????? idmap config * : range = 10000-20000 ??????? idmap config HPLTS : backend = rid ??????? idmap config HPLTS : range = 30000-40000 Then on a domain joined Unix machine, I would expect the users Unix ID to be '31107', this would also depend on the user not being in /etc/passwd> I assume that all accounts and groups will get new id's in the > 30000-range.Yes, except for just one possible gotcha, if a user has the rid 11107, then the Unix ID would be 30000 + 11107 = 41107. This is larger than 40000, so it would be ignored, but you would have to have a very large domain for this to happen, it is also easy to fix, just replace 40000 with a larger number.> Do I need to re-apply all folder and file permissions > from the Windows server to get them correctly mapped?If you have file etc belonging to different ID's then yes. Rowland
On Tue, Jun 30, 2020 at 11:57 AM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 30/06/2020 10:34, Anders ?stling wrote: > > On Tue, Jun 30, 2020 at 11:24 AM Rowland penny via samba > > <samba at lists.samba.org> wrote: > >> On 30/06/2020 09:50, Anders ?stling wrote: > >> > >>>> You have 'workgroup = HPLTS' and 'idmap config dg11', again, they must match > >>> As I wrote in the previous reply, that was a mistake from the initial > >>> deployment. However, I have a copy of the VM and when I corrected DG11 > >>> to HLPTS and restarted the services, this happes: > >>> > >>> getent group "Oldgroup" returns a value in the 10000 range (as > >>> specified in the idmap config * statement). > >> If 'oldgroup' isn't in the the 'HLPTS' domain, this is to be expected. > >>> I now created a new group in the domain, and expected to get a value > >>> in the range 30000 (as specified in the idmap config HPTLS statement). > >> You should. > >>> Again, I probably don't understand the different backends (tdb vs rid) > >>> functions enough. > >> The default domain '*' uses tdb and is an allocating db, the 'rid' > >> backend for your HPTLS domain uses the AD objects RID to calculate the > >> Unix ID. > >>> The new group was given a id of 10032, so it seems > >>> as if the * statement still is the used range. Is this expected > >>> behaviour? > >> No, it isn't, if the group exists in AD and the AD domain name is > >> 'HPTLS' , from what you have posted, I would expect the Unix ID to start > >> with a '3'. Have you run 'net cache flush' ? > > I did this on the test system but cant see any difference. Both the > > old and newly created groups have id's in the 10000 range. > > > > WHAT IF: > > I remove the server from the domain > > Delete the tlb and ldb databases > > Correct the idmap statements as recommended > > Rejoin the domain > > You could try that, but you shouldn't have to ;-) >Let's play :)> If a user exists in AD and has the RID '1107' and you have this in smb.conf: > > idmap config * : backend = tdb > idmap config * : range = 10000-20000 > idmap config HPLTS : backend = rid > idmap config HPLTS : range = 30000-40000 > > Then on a domain joined Unix machine, I would expect the users Unix ID > to be '31107', this would also depend on the user not being in /etc/passwd > > > I assume that all accounts and groups will get new id's in the > > 30000-range. > Yes, except for just one possible gotcha, if a user has the rid 11107, > then the Unix ID would be 30000 + 11107 = 41107. This is larger than > 40000, so it would be ignored, but you would have to have a very large > domain for this to happen, it is also easy to fix, just replace 40000 > with a larger number.It's a quite small domain so that should not be an issue within the next 100 years.> > Do I need to re-apply all folder and file permissions > > from the Windows server to get them correctly mapped? > > If you have file etc belonging to different ID's then yes. >I did try this, and the old id's in the 10000-range is still there on the folders. All users and groups are now in the 30000-range, as expected. The *share* permissions seems to be correct, but not folders and files. It will be a major PITA to correct them afterwards manually, so I will see if I can find a PS-script that collects the ACL's before the change and then re-applies them afterwards. I will continue to scan the net for this. I really want the installation to be as "correct" as possible. Anders> Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- ----------------------------------------------------------------------------------------------------------------------- This signature contains 100% recyclable electrons as prescribed by Mother Nature Anders ?stling +46 768 716 165 (Mobil) +46 431 45 56 01 (Hem)