Web lists-archives.com

Re: [Samba] domain member idmap wbinfo WBC_ERR_DOMAIN_NOT_FOUND




On Thu, 13 Jul 2017 09:42:52 +1000
Tom Robinson via samba <samba@xxxxxxxxxxxxxxx> wrote:


> 
> I'm still curious why these xidNumbers get mapped differently on the
> DM. Where does that happen and do I have any control over it?

The 'xidNumbers' are only used on a DC and they are issued on a first
come basis, an unfortunate side effect of this is that users & groups
can get different numbers on every DC.
On a DM, the two main backends used are the 'ad' & 'rid'. The 'ad'
backend uses RFC2307 attributes stored in AD. The 'rid' backend
calculates the ID from the user or group RID, hence (provided you use
the same smb.conf on all Samba machines) you always get the same IDs.
No winbind backend on a DM uses the 'xidNumbers'.
 
> 
> >> from samba-tool ntacl sysvolcheck? I've now entertained the idea of
> >> changing the UIDs on the Samba3 NT Domain (involves a bit of work
> >> changing POSIX ownerships but is possible to do without much
> >> disruption - most of our permissions are grouped and GIDs start at
> >> 1000+). I could then redo the classic upgrade having the UIDs start
> >> at 1500+.
> > If you are going to do this, can I suggest '10000' as a starting
> > number, this is where ADUC (using the Unix Attributes tab) starts, I
> > would also renumber the groups as well.
> 
> Good advice. Thanks. I'm assuming that the ADUC groups defaults start
> at 10000 also.

Yes.

> 
> This looks attractive is so many ways. I'm concerned on a couple of
> levels, though.
> 
> * The OpenLDAP backend for Samba3 is also responsible for
> authentication across our infrastructure: ** NFS mounts
> for /home/<user> NFS exported from the Samba3 host (multiple hosts
> mount this) ** mail server authentication ** Shares on Samba3

This is all possible on AD, I would also start making plans to replace
Samba 3.
 
> 
> If I do go to a new domain there's going to be a bit of juggling
> account authentication across multiple services running on multiple
> hosts. So it's not just about joining the new domain and resetting
> the password.

Yes, but you gain central authentication i.e. the user and their
password are stored in one place and if the password changes, you don't
have to change it in several places. It will also be more secure.

> 
> I'm beginning to think that going through the UID/GID changes first
> (i.e. on the Samba3 domain) may still be worthwhile.

Indeed this will probably be a good idea.

> 
> Ultimately I will migrate all the shared data to the new Samba4 DM
> and all authentication would go via the Samba4 DC.
> 
> Maybe I should start a new thread!

If you need more help, then yes, feel free to start a new thread ;-)

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba