On Срд, 24 сту 2024, Rui Gomes via FreeIPA-users wrote:
Hello Everyone,
We are experiencing a strange error, where we have 2 ID ranges. The default
one always worked well with samba, we have add a second ID range that works
perfectly for everything but no user in that range can login to samba.
All the users in the default ID range can authenticate with samba, but no
user on a lower ID 5000-10000 manage to authenticate, no obvious errors in
the logs.
Does this ring any bells, we have tried to force samba ID range made no
difference.
If you are doing it similar to
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-mem...,
then your ranges need to be known to Samba through idmap configuration.
The problem here is that for a single domain idmap only supports one ID
range in Samba so you cannot say
idmap config ${netbios_name} : range = ${range1_id_min} - ${range1_id_max}
idmap config ${netbios_name} : range = ${range2_id_min} - ${range2_id_max}
idmap config ${netbios_name} : range = ${range3_id_min} - ${range3_id_max}
idmap config ${netbios_name} : range = ${range4_id_min} - ${range4_id_max}
idmap config ${netbios_name} : backend = sss
You would need to choose a range that covers all those ranges together.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland