A
A
Alexander Semenenko2018-05-25 11:59:04
linux
Alexander Semenenko, 2018-05-25 11:59:04

How to change the uid gid for domain users (idmap) after entering the samba domain?

I introduced samba (Version 4.5.12-Debian) to the domain, when setting it up I wrote:
idmap config * : range = 1422390000-1422399999
idmap config centr:schema_mode = rfc2307
idmap config centr:range = 1422390000-1422399999
idmap config centr:backend = hash
idmap config * : backend = ad
Everything works, getend passwd and wbinfo show users. With Windows clients in a domain, folders are opened without a password.
Now, as an experiment, I changed:
this range is 1422390000-1422399999 to 1442390000-1442399999 but the uid has not changed, it remains in the old range. I tried to display and enter into the domain, but it did not help. I tried to change the backend to different ones (tdb, hash) but nothing changes.
I think that you need to delete some file after the output from the domain, so that when you enter it, it will be created again. But this assumption is simple.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
Alexander Semenenko, 2018-05-30
@semenenko88

I will answer myself, in case you need it.
With this command, we look where we need to clean:
# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
LOCKDIR: /usr/local/samba/var/lock/
STATEDIR: /usr/local/samba/var/locks/
CACHEDIR: /usr/local/samba/var/cache/
PRIVATE_DIR : /usr/local/samba/private/
And from all these directories we delete .tdb and .ldb files. Since winbind no longer starts, since the files are gone, just transfer to the domain and the files will be created and winbind will start.

A
Andrej Gessel, 2018-07-31
@andiges

Maybe a little late, but the settings are not quite correct:
idmap config * : range = 1422390000-1422399999
idmap config centr:schema_mode = rfc2307 <- uidNumber/gidNumber must be set in AD
idmap config centr:range = 1422390000-1422399999
idmap config centr = hash <- must be "ad" because rfc2307, especially hash deprecated ( https://www.samba.org/samba/docs/current/man-html/...
idmap config * : backend = ad <- line is not correct
idmpa_ad is used to on several servers had the same uid/gid -> sid mappings, maybe you should use idmap_rid?
well, on the question, winbind has a cache and it just needed to be cleared: "net cache flush" like

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question