samba - May 2023 - Move default idmap range on ctdb cluster

Hi,

we are running a CTDB Cluster with samba for several years with the following
idmap ranges:

idmap config * : backend = tdb
idmap config *:range = 208000-209999

idmap config fzj:schema_mode = rfc2307
idmap config fzj:default = yes
idmap config fzj:backend = ad
idmap config fzj:range = 2000-200000

Recently we created the first user in Active Directory with an uid abvor 200000
and i need to increase the fzj:range accordingly. Unfortunately the *:range is
in the way. To my understanding the *:range is for the local Builtin Users of
the Samba Server like ?Administrator? which we are not using at all. All
permissions and ownerships refer to Users/Groups in our ActiveDirectory.

Is it safe to change  idmap config *:range from "208000-209999? to
"1600-1999? and increase idmap config fzj:range from "2000-200000? to
?2000-400000?? Any sideffects i need to worry about (like rebuilding tdbs etc.)
or CTDB specific measures i have to take?

Best regards
Felix
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------

On 23/05/2023 10:55, Stolte, Felix via samba wrote:
> Hi,
> 
> we are running a CTDB Cluster with samba for several years with the
following idmap ranges:
> 
> idmap config * : backend = tdb
> idmap config *:range = 208000-209999
> 
> idmap config fzj:schema_mode = rfc2307
> idmap config fzj:default = yes
> idmap config fzj:backend = ad
> idmap config fzj:range = 2000-200000
> 
> Recently we created the first user in Active Directory with an uid abvor
200000 and i need to increase the fzj:range accordingly. Unfortunately the
*:range is in the way. To my understanding the *:range is for the local Builtin
Users of the Samba Server like ?Administrator? which we are not using at all.
All permissions and ownerships refer to Users/Groups in our ActiveDirectory.
> 
> Is it safe to change  idmap config *:range from "208000-209999? to
"1600-1999? and increase idmap config fzj:range from "2000-200000? to
?2000-400000?? Any sideffects i need to worry about (like rebuilding tdbs etc.)
or CTDB specific measures i have to take?
> 
> Best regards
> Felix
Do you have any files or directories owned by any of the Well Known Sids 
or any users or groups from a Domain that isn't 'FZJ' ?

If you haven't, then you should be okay.

I said years ago, putting the default domain range above the main 
'DOMAIN' range was a very bad idea.

Rowland