samba - May 2022 - What is the Uid in smbstatus command?

On Wed, 2022-05-11 at 13:16 +0000, Jim Brand wrote:
> You should remove 'winbind' from the shadow line, it isn't
required
> and can do strange things.
> I removed winbind from the shadow line.
> 
> You are using the 'rid' idmap backend and this calculates the Unix
ID
> from the RID along with the low range set in smb.conf (in your case
> '1000'), but any that end up higher than the high range (in your
case
> '2999999') will be ignored, could this be your problem ?
> 
> I don't think so.   wbinfo -n shows RID = 6880, my uid = 3578 which
> should be in range.
There is a problem with your uid, in your smb.conf you posted this:

idmap config MYGROUP : backend = rid
idmap config MYGROUP : range = 1000-2999999

The 'rid' idmap backend calculates the ID from the RID + the low range
set in smb.conf with this formula:

ID = RID + LOW_RANGE_ID

So, in your case:

ID = 6880 + 1000

ID = 7880

You are saying that your uid (or ID) is '3578', but :

3578 != 7880

So where is it coming from ????

> For reference 'smbstatus' on all servers, working or not, CentOS 6
or
> 7 shows correct user in the
> "PID     Username      Group         Machine"
> 
> section, but under
> "Locked files:"
> always shows a number that doesn't seem to correlate to
> anything.   Is that correct behavior?
> 
> Dumb question:  Using 'rid' idmap backend, should files be created
> with the user's UID that is in AD, or RID + offset?
See above, but the UID should be mapped to the users name.
>    I would rather use ad backend but I've never gotten that to work
> reliably except in CentOS 7.
It has worked reliably for myself since 2012, you just have to
understand that users must have a uidnumber attribute, groups must have
a gidNumber attribute and all of these attributes must contain numbers
inside the 'DOMAIN' range you set in smb.conf

Rowland

There is a problem with your uid, in your smb.conf you posted this:

You are saying that your uid (or ID) is '3578', but :

3578 != 7880

So where is it coming from ????

3578 is UID from AD and local on the box.   Our organization requires local
userids on all servers(!)  The only time we join AD on Linux is for Samba.

Since our Samba files normally match UID/GID in /etc/passwd, not RID + Offset I
assume ' backend = rid' has never worked properly.  Since we want UIDs
to match /etc/passwd I'm going to try again to get Samba working with ad
backend.

Or we can stick with
    security = DOMAIN
which gives us the desired behavior.   Only problem is when servers reboot we
have to rejoin the domain.   Security = ADS solved that.


Thanks,
Jim




This email and any attachments may contain information that is confidential
and/or privileged for the sole use of the intended recipient. Any use, review,
disclosure, copying, distribution or reliance by others, and any forwarding of
this email or its contents, without the express permission of the sender is
strictly prohibited by law. If you are not the intended recipient, please
contact the sender immediately, delete the e-mail and destroy all copies.