Web lists-archives.com

Re: [Samba] DM 3.6.25 -> 4.x




On Wed, 30 May 2018 15:26:37 +0200
"Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> Am 2018-05-30 um 15:01 schrieb Rowland Penny via samba:
> 
> > There are three main winbind backends, but only two are really used
> > on Unix domain members, the 'ad' and the 'rid' backends. Which you
> > use is really down to a simple choice, do you want to add posix
> > attrs to AD or not. If you don't want to add anything to AD, then
> > use the 'rid' backend. If you do add the posix attrs to AD, then
> > use the 'ad' backend.
> 
> I want to keep things as close to as they are with the current
> outdated 3.6.25 setup. This is why the former admin didn't update, I
> guess ;-)
> 
> So I think "rid" here. I want kind of "read only" access to ADS.
> 
> > Having decided which backend, you then have to decide on the ranges
> > to use. If you use the 'rid' backend, then good ranges would be
> > 3000-7999 for the '*' domain and
> > 10000-whatever_upper_limit_you_decide for your DOMAIN (there is a
> > slight problem with this on Debian, they thought it was a good idea
> > to use the ID 65534 for nobody/nogroup, but you can work around
> > this). This will lead to to user & group IDs starting from '11000'
> > 
> > If you use the 'ad' backend, things are a little different, you
> > probably can use the same '*' range as the 'rid' backend, but the 
> > DOMAIN range will depend on the posix attrs in AD, so if the lowest
> > uidNumber or gidNumber in AD is '10000', you could start at '10000'
> > 
> > Things to note:
> > If you place the '*' range below the 'DOMAIN' range, you can easily
> > expand the 'DOMAIN' range by increasing the upper range.
> > 
> > A user can have the same ID as a group, they will never be mixed up.
> > 
> > A 'rid' user with the ID 11000 is very very unlikely to be the same
> > user as an 'ad' user with the same ID. i.e. If you run the 'ad'
> > backend on one Unix domain member, but the 'rid' backend on
> > another, your users will have different ID numbers.
> 
> And you think this is easy? ;-)

Well yes, once you get your head around it ;-)

> 
> testparm shows:
> 
> 
> # testparm -sv | grep idmap
> 
> 	ldap idmap suffix =
> 	idmap backend = tdb
> 	idmap cache time = 604800
> 	idmap negative cache time = 120
> 	idmap uid =
> 	idmap gid =
> 	idmap config * : range = 10000 - 20000
> 	idmap config * : backend = tdb
> 
> So I would love to "convert" the existing ranges to new parameters,
> without guessing or trying something.

If the last two lines are actually in your smb.conf on disk and you
want use the 'rid' backend, then set the something like this will work:

 	idmap config DOMAIN : range =310000-40000
 	idmap config DOMAIN : backend = rid

> 
> the two lines
> 
>  idmap uid =
>  idmap gid =
> 
> should be removed, I assume

I would love to see how you remove them ;-)
I would image that the smb.conf fragment is from a very long smb.conf
'testparm -v' means print every line in smb.conf including all the
defaults. Can I suggest you just run 'cat /etc/samba/smb.conf'

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba