[Samba] idmap_ad - Samba

This is a discussion on [Samba] idmap_ad - Samba ; I'm trying to figure out how to configure idmap_ad to *not* map anything that does not have a UID assigned by Active Directory. I do not like randomly allocated UIDs appearing on my systems and would prefer to drive these ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: [Samba] idmap_ad

  1. [Samba] idmap_ad

    I'm trying to figure out how to configure idmap_ad to *not* map anything
    that does not have a UID assigned by Active Directory. I do not like
    randomly allocated UIDs appearing on my systems and would prefer to
    drive these out centrally. Setting the idmap ranges to nothing seems to
    cause an error.

    How can I do this?

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] idmap_ad

    On Wed, 2007-06-13 at 12:38 -0500, Jerome Haltom wrote:
    > I'm trying to figure out how to configure idmap_ad to *not* map anything
    > that does not have a UID assigned by Active Directory. I do not like
    > randomly allocated UIDs appearing on my systems and would prefer to
    > drive these out centrally. Setting the idmap ranges to nothing seems to
    > cause an error.
    >
    > How can I do this?


    Samba version?
    smb.conf?

    Simo.

    --
    Simo Sorce
    Samba Team GPL Compliance Officer
    email: idra@samba.org
    http://samba.org

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] idmap_ad

    3.0.24-2ubuntu1



    [global]
    smb ports = 445
    workgroup = ISI
    realm = AD.ISILLC.COM
    server string = %h server (Samba, Ubuntu)
    security = ADS
    obey pam restrictions = Yes
    passdb backend = tdbsam
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew
    \sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
    use kerberos keytab = Yes
    log level = 10
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    disable netbios = Yes
    dns proxy = No
    ldap ssl = no
    panic action = /usr/share/samba/panic-action %d
    idmap backend = ad
    idmap uid =
    idmap gid =
    template homedir = /home/%U
    winbind nss info = sfu
    winbind refresh tickets = Yes
    winbind offline logon = Yes
    invalid users = root

    [printers]
    comment = All Printers
    path = /var/spool/samba
    create mask = 0700
    printable = Yes
    browseable = No

    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers

    [backup]
    path = /srv/backup
    valid users = @admin, ISI\jhaltom, ISI\BackupExec, ISI\SQLServer
    read only = No
    create mask = 0770




    [2007/06/13 13:27:29, 0]
    nsswitch/winbindd_util.c:winbindd_param_init(787)
    winbindd: idmap uid range missing or invalid
    [2007/06/13 13:27:29, 0]
    nsswitch/winbindd_util.c:winbindd_param_init(788)
    winbindd: cannot continue, exiting.



    I've tried various combinations of idmap. It actually seems to sort of
    work if I map the range 1-1, but I doubt this is appropriate.



    On Wed, 2007-06-13 at 14:15 -0400, simo wrote:
    > On Wed, 2007-06-13 at 12:38 -0500, Jerome Haltom wrote:
    > > I'm trying to figure out how to configure idmap_ad to *not* map anything
    > > that does not have a UID assigned by Active Directory. I do not like
    > > randomly allocated UIDs appearing on my systems and would prefer to
    > > drive these out centrally. Setting the idmap ranges to nothing seems to
    > > cause an error.
    > >
    > > How can I do this?

    >
    > Samba version?
    > smb.conf?
    >
    > Simo.
    >


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] idmap_ad

    On Wed, 2007-06-13 at 13:29 -0500, Jerome Haltom wrote:
    >
    > I've tried various combinations of idmap. It actually seems to sort of
    > work if I map the range 1-1, but I doubt this is appropriate.


    Just map the same range you use on ad.
    The ad backend is read only no ids can be mapped.

    Otherqise switch to post 3.0.25 where we have rewritten the idmap
    subsystem and this kind of things are handled much better.

    Simo.

    --
    Simo Sorce
    Samba Team GPL Compliance Officer
    email: idra@samba.org
    http://samba.org

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. Re: [Samba] idmap_ad

    On Wed, 2007-06-13 at 14:41 -0400, simo wrote:
    >
    > Just map the same range you use on ad.
    > The ad backend is read only no ids can be mapped.


    So, no matter what ranges I map, it will never produce local UID
    assignments? Okay. Somehow I was fooled into thinking it would. The
    question is withdrawn an irrelevant then.

    >
    > Otherqise switch to post 3.0.25 where we have rewritten the idmap
    > subsystem and this kind of things are handled much better.


    Nice.

    >
    > Simo.
    >


    Thanks!

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. Re: [Samba] idmap_ad

    On Wed, 2007-06-13 at 13:47 -0500, Jerome Haltom wrote:
    > On Wed, 2007-06-13 at 14:41 -0400, simo wrote:
    > >
    > > Just map the same range you use on ad.
    > > The ad backend is read only no ids can be mapped.

    >
    > So, no matter what ranges I map, it will never produce local UID
    > assignments? Okay. Somehow I was fooled into thinking it would. The
    > question is withdrawn an irrelevant then.


    It will not assign local UID but you will hit AD pretty hard as in
    3.0.24 we don't have negative caching in idmap.

    I suggest you try 3.0.25a (b coming out soon as well)

    Simo.

    --
    Simo Sorce
    Samba Team GPL Compliance Officer
    email: idra@samba.org
    http://samba.org

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread