[Samba] idmap_ad - Samba
This is a discussion on [Samba] idmap_ad - Samba ; I'm trying to figure out how to configure idmap_ad to *not* map anything
that does not have a UID assigned by Active Directory. I do not like
randomly allocated UIDs appearing on my systems and would prefer to
drive these ...
-
[Samba] idmap_ad
I'm trying to figure out how to configure idmap_ad to *not* map anything
that does not have a UID assigned by Active Directory. I do not like
randomly allocated UIDs appearing on my systems and would prefer to
drive these out centrally. Setting the idmap ranges to nothing seems to
cause an error.
How can I do this?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-
Re: [Samba] idmap_ad
On Wed, 2007-06-13 at 12:38 -0500, Jerome Haltom wrote:
> I'm trying to figure out how to configure idmap_ad to *not* map anything
> that does not have a UID assigned by Active Directory. I do not like
> randomly allocated UIDs appearing on my systems and would prefer to
> drive these out centrally. Setting the idmap ranges to nothing seems to
> cause an error.
>
> How can I do this?
Samba version?
smb.conf?
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra@samba.org
http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-
Re: [Samba] idmap_ad
3.0.24-2ubuntu1
[global]
smb ports = 445
workgroup = ISI
realm = AD.ISILLC.COM
server string = %h server (Samba, Ubuntu)
security = ADS
obey pam restrictions = Yes
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew
\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
use kerberos keytab = Yes
log level = 10
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
disable netbios = Yes
dns proxy = No
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
idmap backend = ad
idmap uid =
idmap gid =
template homedir = /home/%U
winbind nss info = sfu
winbind refresh tickets = Yes
winbind offline logon = Yes
invalid users = root
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[backup]
path = /srv/backup
valid users = @admin, ISI\jhaltom, ISI\BackupExec, ISI\SQLServer
read only = No
create mask = 0770
[2007/06/13 13:27:29, 0]
nsswitch/winbindd_util.c:winbindd_param_init(787)
winbindd: idmap uid range missing or invalid
[2007/06/13 13:27:29, 0]
nsswitch/winbindd_util.c:winbindd_param_init(788)
winbindd: cannot continue, exiting.
I've tried various combinations of idmap. It actually seems to sort of
work if I map the range 1-1, but I doubt this is appropriate.
On Wed, 2007-06-13 at 14:15 -0400, simo wrote:
> On Wed, 2007-06-13 at 12:38 -0500, Jerome Haltom wrote:
> > I'm trying to figure out how to configure idmap_ad to *not* map anything
> > that does not have a UID assigned by Active Directory. I do not like
> > randomly allocated UIDs appearing on my systems and would prefer to
> > drive these out centrally. Setting the idmap ranges to nothing seems to
> > cause an error.
> >
> > How can I do this?
>
> Samba version?
> smb.conf?
>
> Simo.
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-
Re: [Samba] idmap_ad
On Wed, 2007-06-13 at 13:29 -0500, Jerome Haltom wrote:
>
> I've tried various combinations of idmap. It actually seems to sort of
> work if I map the range 1-1, but I doubt this is appropriate.
Just map the same range you use on ad.
The ad backend is read only no ids can be mapped.
Otherqise switch to post 3.0.25 where we have rewritten the idmap
subsystem and this kind of things are handled much better.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra@samba.org
http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-
Re: [Samba] idmap_ad
On Wed, 2007-06-13 at 14:41 -0400, simo wrote:
>
> Just map the same range you use on ad.
> The ad backend is read only no ids can be mapped.
So, no matter what ranges I map, it will never produce local UID
assignments? Okay. Somehow I was fooled into thinking it would. The
question is withdrawn an irrelevant then.
>
> Otherqise switch to post 3.0.25 where we have rewritten the idmap
> subsystem and this kind of things are handled much better.
Nice.
>
> Simo.
>
Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-
Re: [Samba] idmap_ad
On Wed, 2007-06-13 at 13:47 -0500, Jerome Haltom wrote:
> On Wed, 2007-06-13 at 14:41 -0400, simo wrote:
> >
> > Just map the same range you use on ad.
> > The ad backend is read only no ids can be mapped.
>
> So, no matter what ranges I map, it will never produce local UID
> assignments? Okay. Somehow I was fooled into thinking it would. The
> question is withdrawn an irrelevant then.
It will not assign local UID but you will hit AD pretty hard as in
3.0.24 we don't have negative caching in idmap.
I suggest you try 3.0.25a (b coming out soon as well)
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra@samba.org
http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
