Web lists-archives.com

Re: [Samba] Samba ADS-member-server: FQDNs in /etc/hosts




On Tue, 11 Jul 2017 12:58:14 +0200
"Stefan G. Weichinger" <lists@xxxxxxxx> wrote:

> Am 2017-07-11 um 12:51 schrieb Rowland Penny:
> 
> > Well, that explains where '11029' is coming from, you are using the
> > 'rid' backend. The users (or group) ID will be calculated using this
> > formula:
> > 
> > ID = RID - BASE_RID + LOW_RANGE_ID
> > 
> > BASE_RID is by default '0', so it becomes:
> > 
> > ID = RID + LOW_RANGE_ID
> > 
> > So, in your case it becomes
> > 
> > 11029 = 1029 + 10000
> 
> wow
> 
> Does that explain in some way why some users work and others not?
> And why that worked yesterday?

Could be.

> 
> > Of course, using the 'rid' backend means that you do not need to add
> > anything to AD and you do not need this line in smb.conf:
> > 
> >   idmap config BUERO:schema_mode = rfc2307
> > 
> > Or you could just change 'idmap config BUERO:backend = rid' to
> > 'idmap config BUERO:backend = ad' and use the rfc2307 attributes in
> > AD.
> 
> I would prefer not to have to decide this. You understand? ;-)

I think the decision has been made for you, if anything has been stored
on the DM, it will belong to the IDs that the 'rid' backend has
created/allocated to your users & groups.

> 
> What's the recommendation here, I don't have a clue, I would just like
> to be able to change this to a working config without doing damage to
> active sessions, if possible. This is productive environment right
> now.

If you want to use the 'ad' backend, you are going to have to do some
work. You will have to find out what is stored on the DM and who owns
it. You will then have to find (from AD) the correct ID number. Stop
Samba, change smb.conf, restart Samba then change the ownership of the
files etc.

> 
> To me it sounds preferable to have everything in AD, right? At least
> that is what I expect from having all that: all in one place somehow

Having everything in AD, gives you the possibility of using different
Unix home dirs etc per person.

> 
> -
> 
> Can't remember exactly where rid comes from, I think it was a
> recommendation by Louis for my test VM (which then was migrated to
> this DC).

It should work, but only if the users or groups RID + 10000 is inside
the range you have set in smb.conf (in your case 10000-99999)

You can change the upper number in the range to a higher number without
affecting anything else, but you will need to reload or restart Samba

> 
> Pls also advise if there are any additional steps needed for any of
> these solutions. I always feel unsure if and if not to add some ids
> and mappings somewhere ....
> 

You could ensure that winbind is installed and running (I know it
probably is, but...)

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba