Re: [Samba] Windows pre-requisites for login with winbind?
- Date: Thu, 24 Aug 2017 10:55:26 +0000
- From: "A. James Lewis via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Windows pre-requisites for login with winbind?
Yes indeed.... I know a lot about the Linux side, but Windows is a bit of a mystery to me... and I have to confess to not knowing exactly how nss links various directory services into the system.... hence my comment earlier with "Password file entry" in quotes... I know it's not in the password file, and is amalgamated into the password "map", via nss, but I'm not sure what the correct terminology is for that.... "map" makes me think NIS, but I guess it could be extended to other directory services now.
One thing I would ask, especially given your earlier assistance with my configs... could you advise what would be required to allow logging in to multiple domains.
Existing configs included at the end:-
As far as I can see, so long as it can look up the _kerberos._tcp.DOMAIN2 record, I should not need to add anything to krb5.conf...
For smb.conf, clearly I need to add:-
idmap config DOMAIN2:backend = rid
idmap config DOMAIN2:range = 500000-800000
But do I need to add anything else to make that happen?
$ cat krb5.conf | ./anon.sh
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
$ cat smb.conf | ./anon.sh
workgroup = DOMAIN
security = ADS
realm = DOMAIN.LOCAL
idmap config *:backend = tdb
idmap config *:range = 4000-4999
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 5000-300000
winbind trusted domains only = no
winbind use default domain = yes
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%D/%U
August 23, 2017 4:09 PM, "Rowland Penny via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> On Wed, 23 Aug 2017 14:39:19 +0000
> "A. James Lewis" <james@xxxxxxxxxx> wrote:
>> OK, that is the answer, but can you explain what an "RID" is from a
>> Windows perspective?... I had thought that the mapping was not a 1-1,
>> and it appears it is, once the idmap range is taken into account.
>> idmap config DOMAIN:range = 5000-300000
>> My UID's appear to be offset by 5000 from the RID... but I'd love to
>> know exactly what RID is.
>> Many thanks tho, I probably should have tried increasing this cap
> Not a problem, as you may or may not know, Unix uses numeric IDs to
> identify users & groups and names to identify domains. For instance
> 'SAMDOM\rowland is a member of the SAMDOM domain with the id '10000'.
> Windows does something similar, it uses 'SID-RID' to identify users and
> groups, in fact anything.
> The SID identifies the domain and the RID identifies the object (which
> can be a user, group, etc)
> A typical SID-RID will look like this:
> The SID is the 'S-1-5-21-1768301897-3342589593-1064908849' part
> The RID is the last part '1107'
> The SID is used extensively in the AD database and is always the same
> (in each AD)
> The RID is unique to the object and is never reused.
> I hope this helps you understand things a bit better.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
A. James Lewis (james@xxxxxxxxxx)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
To unsubscribe from this list go to the following URL and read the