Hello,
[This is a translated cross-post from the German section]
Does TrueNAS core 12 allow to change the ranges in DirectoryServices -> ActiveDirectory -> Advanced -> Edit IDMap without re-joining the domain?
Are overlapping ranges allowed as in earlier releases?
Scenario:
For years I'm running two SMB-Servers on FreeNAS, currently 11.1U6 and 11.3U5. "NAS1" is the active server, while "NAS2" frequently receives replications to be ready as a fallback server. NAS2 is also used as a testbed for new releases. User accounts are queried from our pretty large Active Directory ("wbinfo -u" shows ~70'000 entries).
As NAS1 is getting to its hhardware limits, I built a new "NAS3" based on TrueNAS Core 12 (started with 11.3U5 but had to update due to issue NAS-107821). After replication finished I found differences in ID mapping, resulting in broken ACLs on the new server. While our NAS1/2 use overlapping ID ranges for LDAP [10k .. 90M] and AD [20k .. 90M] the new 12,0 separates them as
Unfortunately the search function did not find any documentation for Edit IDMAP.
Your help is appreciated!
[This is a translated cross-post from the German section]
Does TrueNAS core 12 allow to change the ranges in DirectoryServices -> ActiveDirectory -> Advanced -> Edit IDMap without re-joining the domain?
Are overlapping ranges allowed as in earlier releases?
Scenario:
For years I'm running two SMB-Servers on FreeNAS, currently 11.1U6 and 11.3U5. "NAS1" is the active server, while "NAS2" frequently receives replications to be ready as a fallback server. NAS2 is also used as a testbed for new releases. User accounts are queried from our pretty large Active Directory ("wbinfo -u" shows ~70'000 entries).
As NAS1 is getting to its hhardware limits, I built a new "NAS3" based on TrueNAS Core 12 (started with 11.3U5 but had to update due to issue NAS-107821). After replication finished I found differences in ID mapping, resulting in broken ACLs on the new server. While our NAS1/2 use overlapping ID ranges for LDAP [10k .. 90M] and AD [20k .. 90M] the new 12,0 separates them as
- DS_TYPE_LDAP [20k .. 90M]
- DS_TYPE_DEFAULT_DOMAIN [90M+1 .. 100M]
- DS_TYPE_ACTIVEDIRECTORY [100M+1 .. 200M]
Unfortunately the search function did not find any documentation for Edit IDMAP.
Your help is appreciated!