Don Piven wrote:
Sez Christoph Peus:
Hi everybody,
I've joined a fileserver running samba 3.0.24 to an AD domain using
winbind and noticed that samba maps the "users" group SID
(5-1-5-32-545) to gid 1001 automatically. This seems to conflict with
one of ~2000 mappings I had to "inject" in winbinds winbindd_idmap.tdb
by use of net idmap dump/restore, because the fileserver had millions
of files with certain uid/gid ownership from a local passwd/group
before I did the "net ads join". The gid 1001 was allocated to the
group "nawi" in /etc/group before.
I'm unsure now which problems could be caused by this regarding security.
Is it possible - and usefull - to change this mapping to get a
"BUILTIN\users" group as expected?
Thanks!
Have you checked the "idmap" settings in your smb.conf? In particular,
"idmap uid" and "idmap gid" specify the range of uid/gid values used to
map to SIDs.
Thanks for the hint, but both are set to 1000-60000, which is - as far
as I know - the correct setting if domain users/groups SIDs shall
resolve to uids/gids of this range. I assume that winbind should avoid
to use a uid/gid for BUILTIN-groups, which are already in use for a
domain group, but maybe I got something totally wrong here. It's
possible that I still haven't understood the idmap/groupmap scheme
completely yet...
Christoph
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
