Web lists-archives.com

Re: [Samba] DM 3.6.25 -> 4.x




Am 2018-05-30 um 15:01 schrieb Rowland Penny via samba:

> There are three main winbind backends, but only two are really used on
> Unix domain members, the 'ad' and the 'rid' backends. Which you use is
> really down to a simple choice, do you want to add posix attrs to AD or
> not. If you don't want to add anything to AD, then use the 'rid'
> backend. If you do add the posix attrs to AD, then use the 'ad'
> backend.

I want to keep things as close to as they are with the current outdated
3.6.25 setup. This is why the former admin didn't update, I guess ;-)

So I think "rid" here. I want kind of "read only" access to ADS.

> Having decided which backend, you then have to decide on the ranges to
> use. If you use the 'rid' backend, then good ranges would be 3000-7999
> for the '*' domain and 10000-whatever_upper_limit_you_decide for your
> DOMAIN (there is a slight problem with this on Debian, they thought it
> was a good idea to use the ID 65534 for nobody/nogroup, but you can
> work around this). This will lead to to user & group IDs starting from
> '11000'
> 
> If you use the 'ad' backend, things are a little different, you
> probably can use the same '*' range as the 'rid' backend, but the 
> DOMAIN range will depend on the posix attrs in AD, so if the lowest
> uidNumber or gidNumber in AD is '10000', you could start at '10000'
> 
> Things to note:
> If you place the '*' range below the 'DOMAIN' range, you can easily
> expand the 'DOMAIN' range by increasing the upper range.
> 
> A user can have the same ID as a group, they will never be mixed up.
> 
> A 'rid' user with the ID 11000 is very very unlikely to be the same user
> as an 'ad' user with the same ID. i.e. If you run the 'ad' backend on
> one Unix domain member, but the 'rid' backend on another, your users
> will have different ID numbers.

And you think this is easy? ;-)

testparm shows:


# testparm -sv | grep idmap

	ldap idmap suffix =
	idmap backend = tdb
	idmap cache time = 604800
	idmap negative cache time = 120
	idmap uid =
	idmap gid =
	idmap config * : range = 10000 - 20000
	idmap config * : backend = tdb

So I would love to "convert" the existing ranges to new parameters,
without guessing or trying something.

the two lines

 idmap uid =
 idmap gid =

should be removed, I assume

> If you do not have the 'netbios name' line in smb.conf, you can use
> the smb.conf on all Unix domain members in the domain and you will
> always get the same numeric IDs.

It is there but afaik there is only this one domain member server right now.

thanks so far, Stefan

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba