Hello Everyone,
We are experiencing a strange error, where we have 2 ID ranges. The default one always worked well with samba, we have add a second ID range that works perfectly for everything but no user in that range can login to samba.
All the users in the default ID range can authenticate with samba, but no user on a lower ID 5000-10000 manage to authenticate, no obvious errors in the logs.
Does this ring any bells, we have tried to force samba ID range made no difference.
Regards RG
On Срд, 24 сту 2024, Rui Gomes via FreeIPA-users wrote:
Hello Everyone,
We are experiencing a strange error, where we have 2 ID ranges. The default one always worked well with samba, we have add a second ID range that works perfectly for everything but no user in that range can login to samba.
All the users in the default ID range can authenticate with samba, but no user on a lower ID 5000-10000 manage to authenticate, no obvious errors in the logs.
Does this ring any bells, we have tried to force samba ID range made no difference.
If you are doing it similar to https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member..., then your ranges need to be known to Samba through idmap configuration.
The problem here is that for a single domain idmap only supports one ID range in Samba so you cannot say
idmap config ${netbios_name} : range = ${range1_id_min} - ${range1_id_max} idmap config ${netbios_name} : range = ${range2_id_min} - ${range2_id_max} idmap config ${netbios_name} : range = ${range3_id_min} - ${range3_id_max} idmap config ${netbios_name} : range = ${range4_id_min} - ${range4_id_max} idmap config ${netbios_name} : backend = sss
You would need to choose a range that covers all those ranges together.
freeipa-users@lists.fedorahosted.org