L.P.H. van Belle
2022-Mar-23 16:01 UTC
[Samba] AD/RID backends and group mappings on member
Hai,
Im wondering, im testing a bit with backends AD and RID>
This part of the smb.conf
## Map id's outside the ADDOM to tdb files.
idmap config * : backend = tdb
idmap config * : range = 2000-9999
## Backend AD
## map ids from the domain the range may not overlap !
# idmap config ADDOM : backend = ad
# idmap config ADDOM : schema_mode = rfc2307
# idmap config ADDOM : range = 10000-3999999
# idmap config ADDOM : unix_primary_group = yes
# idmap config ADDOM : unix_nss_info = yes
## Backend RID
## map ids from the domain the range may not overlap !
idmap config ADDOM : backend = rid
idmap config ADDOM : range = 10000-3999999
## Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
Before restart and after I change the backend, i run : net cache flush
If i run my server in a RID backend setup and i check my group mappings.
net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> 2001
And again but with the AD backend enabled.
net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> 2000
Users (S-1-5-32-545) -> BUILTIN\users
Can someone explain why i see 2 different things here,
shouldn't these BUILTIN not be the same.
What am i missing here.
Greetz,
Louis
On Wed, 2022-03-23 at 17:01 +0100, L.P.H. van Belle via samba wrote:> Hai, > > Im wondering, im testing a bit with backends AD and RID> > > This part of the smb.conf > > ## Map id's outside the ADDOM to tdb files. > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > > ## Backend AD > ## map ids from the domain the range may not overlap ! > # idmap config ADDOM : backend = ad > # idmap config ADDOM : schema_mode = rfc2307 > # idmap config ADDOM : range = 10000-3999999 > # idmap config ADDOM : unix_primary_group = yes > # idmap config ADDOM : unix_nss_info = yes > > ## Backend RID > ## map ids from the domain the range may not overlap ! > idmap config ADDOM : backend = rid > idmap config ADDOM : range = 10000-3999999 > ## Template settings for login shell and home directory > template shell = /bin/bash > template homedir = /home/%U > > Before restart and after I change the backend, i run : net cache > flush > > If i run my server in a RID backend setup and i check my group > mappings. > net groupmap list > Guests (S-1-5-32-546) -> BUILTIN\guests > Administrators (S-1-5-32-544) -> BUILTIN\administrators > Users (S-1-5-32-545) -> 2001 > > And again but with the AD backend enabled. > net groupmap list > Guests (S-1-5-32-546) -> BUILTIN\guests > Administrators (S-1-5-32-544) -> 2000 > Users (S-1-5-32-545) -> BUILTIN\users > > > Can someone explain why i see 2 different things here, > shouldn't these BUILTIN not be the same. > > What am i missing here.I have no idea what you are missing :-) Using the winbind 'ad' idmap backend on one Unix domain member: sudo net groupmap list Guests (S-1-5-32-546) -> BUILTIN\guests Administrators (S-1-5-32-544) -> BUILTIN\administrators Users (S-1-5-32-545) -> BUILTIN\users Using the winbind 'rid' idmap backend on another: sudo net groupmap list Guests (S-1-5-32-546) -> BUILTIN\guests Administrators (S-1-5-32-544) -> BUILTIN\administrators Users (S-1-5-32-545) -> BUILTIN\users I do not get numbers at all. Some form of cache problem ? Rowland