Samba Winbind Idmap AD range (Core to Scale)

enantiomere · December 6, 2024, 10:50am

Hello, I am in the process of migrating from Core to Scale. I installed my new server and had issues about idmap ad range when joining my Samba AD domain.
In the past I probably made a mistake by assigning the Domain Administrators and Domain Users groups a gidNumber of 512 and 513 (to be consistent with RID) in our Samba AD. Subsequently I had to tweak the configuration on our TrueNas Core by adding in the advanced options “idmap config MYDOMAIN: range = 500-32768” because idmap range minimum value is 1000. It turns out that the Truenas Scale interface does not allow you to add this parameter.
As I would like to do things properly, can I proceed as follows:

modify in my Samba AD the gidNumber from 512/513 to 1512/1513 with lbdedit;
on my TrueNas Core edit all directories and files with chgrp: find . -gid 512 -print0 | xargs -0r chgrp 1512
Will this be enough without having to modify the NFSv4 ACLs?

awalkerix · December 6, 2024, 11:17am

It depends on whether you used that gid in any ACLs. Perhaps you won’t need to change anything.

enantiomere · December 6, 2024, 2:25pm

Thanks for your reply. ACL mode is set to Restricted and I think that it is only used on files and directories created by users on Windows which assign group to Domain Users.

On the source Core server I have:

root@xx:/mnt/vol1/xx/data # getent group ADM\\domain\ users
ADM\domain users:x:513
root@x:/mnt/vol1/xx/data # ls -ld ./SOUTENANCES/.DS_Store
-rwxrwxrwx+ 1 ADM\yyyyyy  ADM\domain users  18436 Apr 22  2024 ./SOUTENANCES/.DS_Store
root@carioca:/mnt/vol1/carioca/data # ls -ldn ./SOUTENANCES/.DS_Store
-rwxrwxrwx+ 1 6069  513  18436 Apr 22  2024 ./SOUTENANCES/.DS_Store
root@x:/mnt/vol1/xx/data # getfacl ./SOUTENANCES/.DS_Store
 file: ./SOUTENANCES/.DS_Store
 owner: ADM\yyyyyy
 group: ADM\domain users
     user:nasadmin:rwxpDdaARWcCo-:-------:allow
            owner@:rwxpDdaARWcCo-:-------:allow
    group:nasadmin:rwxpDdaARWcCo-:-------:allow
            group@:rwxpDdaARWcCo-:-------:allow
         everyone@:rwxpDdaARWcCo-:-------:allow

On the new Scale server (with datasets replicated):

root@zzzz[/mnt/vol1/xx/data]# getent group ADM\\domain\ users
ADM\domain users:x:1513:
root@rumba[/mnt/vol1/xx/data]# ls -ld ./SOUTENANCES/.DS_Store
-rwxrwxrwx 1 ADM\yyyy 513 18436 Apr 22  2024 ./SOUTENANCES/.DS_Store
root@rumba[/mnt/vol1/carioca/data]# nfs4xdr_getfacl ./SOUTENANCES/.DS_Store 
 File: ./SOUTENANCES/.DS_Store
 owner: 6069
 group: 513
 mode: 0o100777
 trivial_acl: false
 ACL flags: none
      user:netdata:rwxpDdaARWcCo-:-------:allow
            owner@:rwxpDdaARWcCo-:-------:allow
      group:docker:rwxpDdaARWcCo-:-------:allow
            group@:rwxpDdaARWcCo-:-------:allow
         everyone@:rwxpDdaARWcCo-:-------:allow

I think I will have to change my old local nasadmin user and group (id 999) to truenas_admin local user and change the root acl of the dataset.