Resolve idmap mess - Githubissues

AnrDaemon / samba4-ads

1 stars 1 forks source link

Resolve idmap mess #7

Open AnrDaemon opened 9 years ago

AnrDaemon commented 9 years ago

root@dc~# ldbsearch -s sub -H /var/lib/samba/private/sam.ldb '(|(gidnumber=*)(uidnumber=*))' gidnumber uidnumber | grep -i "^.idnumber" | cut -d" " -f 2 | sort -un
root@member~# getent group | cut -d: -f 3 | sort -un

Exclude uid's 0 and 65534. Compare the lists. If results are satisfactory, set the idmap range to include lowest xid from the SAM database.

AnrDaemon commented 9 years ago

Kerberos configuration may also cause mess if member server do not have correct realm listed. So, beware.

AnrDaemon commented 9 years ago

/etc/pam.d - any file that mention krb5 and minimum_uid may need to be changed to match your idmap range. MAY be. This is not necessary. If you, i.e., have legacy group ID maps within 5xx range, do NOT touch the setting. Only change it, if

your idmap range start from a number higher than 1000;
you have USERS with uid less than 1000 (though, in this case, I strongly advise to renumber your users).

AnrDaemon commented 9 years ago

# visudo -f /etc/sudoers.d/domain
# Members of the "domain admins" group may do about anything.
# And rightfully so.
%domain\x20admins ALL=(ALL:ALL) ALL

AnrDaemon commented 9 years ago

http://serverfault.com/questions/285800/how-to-disable-ssh-login-with-password-for-some-users

AnrDaemon commented 9 years ago

# adduser --uid=499 --ingroup=admin localroot