Web lists-archives.com

Re: [Samba] [samba] Winbindd without RFC2307 question




On Fri, 21 Jul 2017 11:58:15 +0200
mathias dufresne via samba <samba@xxxxxxxxxxxxxxx> wrote:


> And as you gave me information about RFC2307 already present into AD
> schema I will avoid the mess as I can use these attributes and then
> switch to: idmap config CENTORIAL:backend = ad
> idmap config CENTORIAL:schema_mode = rfc2307

Just make sure you use the correct syntax when setting up smb.conf,
there was a change from 4.6.0, see here:

https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed

> 
> Here I think you meant the fact Samba uses xID concept for UID and
> GID and the fact in UNIX we can have same number used for one UID and
> one GID too. If my guess is correct, as AD's SID are necessary unique
> the issue would not happen as long as no UID/GID are manually
> declared into AD. If no manual declaration of xID in AD then all xID
> will be generated by mapping using RID method you described earlier.
> Or I missed something : )

xidNumber attributes are only used on a DC.
If no uidNumber attributes are found in AD, then the xidNumber will be
used on the DC, the same goes for gidNumber attributes

If you want to make a user or group visible on a Unix domain member,
then you can do this by using various means, the two main ones are the
winbind 'ad' & 'rid' backends. To use the 'ad' backend, you need to add
uidNumber & gidNumber attributes to AD, the xidNumber attributes found
in idmap.ldb on a DC will never be used.
To use the 'rid' backend entails just setting up the smb.conf correctly
on the Unix domain member, you do not add anything to AD, you will get
a different ID on a Unix domain member compared to the DC.


> I really owe you a beer ;)

Where do I collect it LOL

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba