Univention Bugzilla – Bug 44549
ID mapping range for "*" is not configurable
Last modified: 2017-05-24 10:48:03 CEST
The ID mapping range for "*" is not configurable, while the range for the domain ID mapping is. Both should not overlap, but if you set the domain mapping range via: # ucr set samba/idmap/<domain>/range='1000-549999' this happens at once since you _cannot_ set also this: # ucr set 'samba/idmap/*/range'='550000-640000' (you would have to change the following snippet from the template): print '\tidmap config * : backend\t= ldap' --> print '\tidmap config * : range\t\t= 55000-64000' print '\tidmap config * : ldap_url\t= ldap://%s' % ' ldap://'.join(ldapserver) print '\tidmap config * : ldap_user_dn\t= %s' % (admindn) ## print '\tidmap config * : ldap_base_dn\t= cn=idmap,cn=univention,%s' % (ldap_base) # replacement for deprecated samba/winbind/trusted/domains/only=yes if configRegistry.get('windows/domain'): mydomain=configRegistry['windows/domain'].upper() defaultrange = '1000-54999' # try uppercase domain, then allow for lowercase, otherwise use defaultrange range = configRegistry.get('samba/idmap/%s/range' % mydomain, configRegistry.get('samba/idmap/%s/range' % mydomain.lower(), defaultrange)) print '\tidmap config %s : backend = nss' % (mydomain, ) print '\tidmap config %s : range = %s' % (mydomain, range) ### </idmap config v6 for Samba 3.6.0> --------------------------------------------------------------------------------- The template should look like this: --> default_range = configRegistry.get('samba/idmap/*/range', '55000-64000') print '\tidmap config * : backend\t= ldap' --> print '\tidmap config * : range\t\t= %s' % default_range print '\tidmap config * : ldap_url\t= ldap://%s' % ' ldap://'.join(ldapserver) print '\tidmap config * : ldap_user_dn\t= %s' % (admindn) ## print '\tidmap config * : ldap_base_dn\t= cn=idmap,cn=univention,%s' % (ldap_base)
This is important for samba memberserver's as the gid/uid<->SID mapping is done via winbind but the default range for the Domain has a range from 1000-54999. As soon as the uidNumber/guiNumber goes beyond 54999 (which is not unlikely in school environments) gid/uid<->SID mapping is broken.
added samba/idmap/range (samba/idmap/*/range is not allowed by ucslint :-( ) univention-samba: r79233 staging/univention-samba.yaml
Ok, works: ucr set samba/idmap/$(ucr get windows/domain)/range=1000-549999 \ samba/idmap/range=550000-640000 I've added a note to the advisory explaining the purpose of this new variable.
<http://errata.software-univention.de/ucs/4.2/19.html>