On Wed, 2022-03-02 at 14:24 +0100, Lars Schimmer via samba
wrote:> >
>
> I did setup a new debian bullyeye system to test different configs.
> And just did leave/reboot/join/reboot the domain
>
>
> > > idmap config * : backend = tdb
> > > idmap config * : range = 99000000-99999999
> > > #idmap config for the XYZ domain
> > > idmap config XYZ:backend = ad
> > > #idmap config XYZ:schema_mode = template
> > > idmap config XYZ:schema_mode = rfc2307
> > > idmap config XYZ:range = 100-98999999
> > >
> >
> > If the uidNumbers in AD start at '1000', then the low range
for
> > 'XYZ'
> > should start at '1000'
>
> Ok, but lower should not harm, or?
Probably will have no effect, but best practise is start the DOMAIN low
range at the lowest uidNumber.
>
>
Right. That was just a test. Also the RID idmap backend does work
for> all users, but it does not have stable uids over all linux systems :-
> /
That shows that the domain is working, so it has to be a problem with
your 'ad' setup
>
> > >
[global]
security = ADS
workgroup = CGV
realm = CGV.TUGRAZ.AT
dns proxy = no
bind interfaces only = yes
interfaces = lo 129.27.218.0/24
# Default idmap config for local BUILTIN accounts and groups
# Mandatory, but hopefully not used, because the ids must
not> overlap
idmap config * : backend = tdb
idmap config * : range = 990000-999999
idmap config for the CGV domain
idmap config CGV:backend = ad
idmap config CGV:schema_mode = template
idmap config CGV:range = 1000-989999
winbind nss info = template
template shell = /bin/zsh
template homedir = /home/%U
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
map to guest = bad user
Also just did a test on members:
members "Domain Users"
Admin1 Admin2 Admin3
and no one else. Although we got >50 accounts in that group, not
all> with gid.
Again, that will only show users that have a uidNumber attribute
containing a number inside the '1000-989999' range you set in smb.conf
AND Domain Users must have a gidNumber inside the same range.
Rowland