Answer the question
In order to leave comments, you need to log in
D
D
Denis Shavaleev2019-04-18 11:51:04
Denis Shavaleev, 2019-04-18 11:51:04
Samba flies idmap, what could be the problem?
Good day!
Caught jokes on a file server. Already 3 weeks on the night from Wednesday to Thursday user rights on network folders fly off. I looked into the logs and couldn't find anything there. But according to the symptoms, it looks like idmaps are being rewritten, i.e. for example, if DOMAIN\admin was originally written at 10000, then by Thursday morning it turns into DOMAIN\viktor.tsoy or DOMAIN\gruppa-krovi-na-rukave. The configs used by the samba - krb5 - nsswitch - winbind bundle are attached with spoilers. On this configuration, there were no problems with entering the domain. This question only torments me.
smb.conf
[global]
security = ads
idmap config * : range = 10000-10000000
template homedir = /home/%[email protected]%D
template shell = /bin/bash
kerberos method = system keytab
winbind use default domain = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
inherit permissions = yes
inherit acls = yes
passdb backend = tdbsam
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
domain master = no
local master = no
preferred master = no
os level = 1
log level = 3
log file = /var/log/samba/log.%m
workgroup = DOMAIN
realm = DOMAIN.LOCAL
idmap config * : backend = tdb
password server = cd.domain.local
winbind refresh tickets = yes
obey pam restrictions = no
[General]
path = /home/share/general
writeable = yes
browseable = yes
create mask = 0777
directory mask = 0777
valid users = "@пользователи домена", "@администраторы домена"
admin users = "@администраторы домена"
[Buhg]
path = /home/share/buhg
writeable = yes
browseable = yes
create mask = 0777
directory mask = 0777
valid users = "@buhg", "@администраторы домена"
admin users = "@администраторы домена"
[global]
security = ads
idmap config * : range = 10000-10000000
template homedir = /home/%[email protected]%D
template shell = /bin/bash
kerberos method = system keytab
winbind use default domain = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
inherit permissions = yes
inherit acls = yes
passdb backend = tdbsam
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
domain master = no
local master = no
preferred master = no
os level = 1
log level = 3
log file = /var/log/samba/log.%m
workgroup = DOMAIN
realm = DOMAIN.LOCAL
idmap config * : backend = tdb
password server = cd.domain.local
winbind refresh tickets = yes
obey pam restrictions = no
[General]
path = /home/share/general
writeable = yes
browseable = yes
create mask = 0777
directory mask = 0777
valid users = "@пользователи домена", "@администраторы домена"
admin users = "@администраторы домена"
[Buhg]
path = /home/share/buhg
writeable = yes
browseable = yes
create mask = 0777
directory mask = 0777
valid users = "@buhg", "@администраторы домена"
admin users = "@администраторы домена"
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = DOMAIN.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
dns_lookup_kdc = true
[realms]
DOMAIN.LOCAL = {
kdc = cd.domain.local
admin_server = cd.domain.local
default = DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = DOMAIN.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
dns_lookup_kdc = true
[realms]
DOMAIN.LOCAL = {
kdc = cd.domain.local
admin_server = cd.domain.local
default = DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files dns
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files dns
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
1 answer(s)
@Shavaleev_DieZ
R
Rsa97, 2019-04-18 @Shavaleev_DieZ
Use rid, then the user uid will be taken from the SID of the domain account (the part after the last dash).
idmap config NT AUTHORITY : base_rid = 0
idmap config NT AUTHORITY : range = 1200000-1299999
idmap config NT AUTHORITY : backend = rid
idmap config BUILTIN : base_rid = 0
idmap config BUILTIN : range = 1000000-1099999
idmap config BUILTIN : backend = rid
idmap config ваш_домен : base_rid = 100
idmap config ваш_домен : range = 100-999999
idmap config ваш_домен : backend = rid
idmap config ваш_домен : default = yes
idmap config * : range = 1300000-1999999
idmap config * : backend = rid
Similar questions
D
D
P
Pavel Semenov2016-06-15 19:15:02
How to make restrictions on extensions in group policies 2008R2?
2Reply
M
I
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question