>On 14/12/2022 10:26, Balke IT via samba wrote:
>>> Lets see if I have got this correct:
>>
>>> Your computer is joined to an AD domain.
>>> You have users in AD with uidNumber attributes.
>>> Domain Users has a gidNumber attribute.
>>> All these '*idNumber' attributes hold numbers inside the
'1001-116999'
>>> range.
>>
>>> Is all that correct ?
>>
>>> can you also post your entire smb.conf
>>
>>> Rowland
>>
>> Yes, all these are correct including the "Domain Users" which
has the gid of 100 which points to the local "users" group.
>That could be part of your problem.
>If you use the 'ad' idmap backend on a Unix domain member, all
uidNumber
>and gidNumber attributes must contain a number inside the DOMAIN range
>you set in smb.conf (in your case 1001-116999) and '100' isn't
inside
>your range. What could be happening here is, the users that are having
>problems do not have a gidNumber attribute. They are falling back to the
>primary group 'Domain Users', which, for all intents and purposes,
does
>not have a valid gidNumber. This means that, to the 'DOMAIN' domain,
>they do not exist, so they are mapped to the default '*' domain and
are
>denied access.
>Can you please reply to this post, rather than posting a new post, which
>is what you appear to be doing, this breaks threads.
>Rowland
Sorry but I have no idea why my mailer is destroying the thread. But about the
problem with idmap_id:
We use idmap_ad because until recently we had the configuration with windows sfu
(in the meantime migrated to rfc2307) and older samba which was working
perfectly fine. As there are thousands of files on three different servers we
cannot simply switch the userids.
Tried new groupids starting from 1001, put them into the ads-attributes but
still no luck. Some users can correctly access the shares and some can't.
Best Regards
Matthias Mueller