samba - Oct 2022 - Change (fix) idmap config

Hi.
We made a mistake in configuring two file servers, by putting the realm instead
of the workgroup in idmap config (below). For this reason, now we get different
ids when running `getent passwd`?on the two servers...
What's the best way to recover, considering we have users connecting via
shares and ssh? Unjoin the server, adjust config, join again, chown?

thanks

   workgroup = LIGHT
   realm = WDC.DOMAIN.IT
   security = ads
   idmap config * : range = 16777216-33554431
   winbind separator = +
   template homedir = /home/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false
#--authconfig--end-line--
  idmap config *:backend = tdb
  idmap config *:range = 700001-800000
  idmap config WDC.DOMAIN.IT:backend  = rid
  idmap config WDC.DOMAIN.IT:range  = 10000-700000

-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.com 
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/

Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood
Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 919-817-8106 - info.us
at yetopen.com

Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection
Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.

On 14/10/2022 15:45, Lorenzo Milesi via samba wrote:
> Hi.
> We made a mistake in configuring two file servers, by putting the realm
instead of the workgroup in idmap config (below). For this reason, now we get
different ids when running `getent passwd`?on the two servers...
> What's the best way to recover, considering we have users connecting
via shares and ssh? Unjoin the server, adjust config, join again, chown?
> 
> thanks
> 
>     workgroup = LIGHT
>     realm = WDC.DOMAIN.IT
>     security = ads
>     idmap config * : range = 16777216-33554431
>     winbind separator = +
>     template homedir = /home/%U
>     template shell = /bin/bash
>     kerberos method = secrets only
>     winbind use default domain = true
>     winbind offline logon = false
> #--authconfig--end-line--
>    idmap config *:backend = tdb
>    idmap config *:range = 700001-800000
>    idmap config WDC.DOMAIN.IT:backend  = rid
>    idmap config WDC.DOMAIN.IT:range  = 10000-700000
> 
I take it that all your users now have ID's in the 700001-800000 range. 
You can just change the last two lines to use the NetBIOS domain name 
(aka workgroup) and restart Samba, but this is going to change all your 
user & group ID's on that Unix domain member.

I would also remove the first 'idmap config *' line, luckily it will 
have been overridden by the second one.

Your other method will be to create a new Unix domain member with a 
correct smb.conf and then get your users to copy the files etc across 
via Samba.

If you are going to use authconfig on red-hat, I would suggest you run 
it first (before starting Samba), then fix its many mistakes.

Rowland