Web lists-archives.com

Re: [Samba] How to Join Mac OSX workstation as AD domain member




On Wed, 27 Jun 2018 02:09:24 -0400
Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:

> I think I have my Mac AD mappings wrong. The following link 
> https://support.apple.com/kb/PH26272?viewlocale=en_ME&locale=en_ME,
> says:
> 
> > On a computer that's configured to use Directory Utility's Active
> > Directory connector, you can specify an Active Directory attribute
> > to map to the group ID (GID), primary group ID (GID), and unique
> > user ID (UID) attribute in macOS.
> > 
> > Usually, the Active Directory schema must be extended to include an
> > attribute that's suitable for mapping to the GID, primary GID, and
> > UID:
> > 
> > If the Active Directory administrator extends the Active Directory
> > schema by installing Microsoft's Services for UNIX, you can map the
> > following:
> > 
> >         GID to the msSFU-30-Gid-Number attribute
> >         Primary GID to the msSFU-30-Gid-Number attribute
> >         UID to the msSFU-30-Uid-Number attribute

I think there is a clue there 'Microsoft's Services for UNIX', it used
to be called that, but latterly it was called 'IDMU' or 'Identity
Management for UNIX' and a lot of the 'msSFU-30' prefixes got dropped.

> 
> I've looked in sam.ldb and the only msgSFU object categories I find
> are msSFU-30-NIS-Map-Config and msSFU-30-Domain-Info. What are
> msSFU-30-Gid-Number and UID to the msSFU-30-Uid-Number? Should I be
> using these?

You probably already are, 'msSFU-30-Gid-Number' became 'gidNumber'

> 
> What are GID, primary GID and UID in this case? My 'Domain Users' GID
> is 10000. How does that correlate? Why would I specifically map a
> UID? Would not the AD server sort that out when I log in as a domain
> user?
> 
> > If the Active Directory administrator manually extends the Active
> > Directory schema to include RFC 2307 attributes, you can map the
> > following:
> > 
> >         GID to the gidNumber attribute
> >         Primary GID to the gidNumber attribute
> >         UID to the uidNumber attribute
> 
> I do have 'idmap_ldb:use rfc2307 = yes' defined in the AD server
> smb.conf, but I'm still at a loss as to understanding what they are
> talking about with GID, Primary GID and UID.
> 
> > If the Active Directory administrator manually extends the Active
> > Directory schema to include the macOS gidNumber, PrimaryGroupID,
> > and UniqueID attributes, you can map the following:
> > 
> >         GID to the gidNumber attribute
> >         Primary GID to the PrimaryGroupID attribute
> >         UID to the UniqueID attribute
> 
> Not comprehending this mac-speak. Does anyone know what this is?
> 
> > If mapping of the GID, primary GID, and UID is disabled, the Active
> > Directory connector generates a GID, primary GID, and UID based on
> > Active Directory's standard GUID attribute.
> 
> So, if I *don't* do any mapping (disabled) what happens?

Sounds like you end up using something very similar to the winbind
'rid' backend.

>  
> > Important: With the advanced options of the Active Directory
> > connector, you can map the macOS unique user ID (UID), primary
> > group ID (GID), and group GID attributes to the correct attributes
> > in the Active Directory schema. However, if you change these
> > settings later, users might lose access to previously created files.
> 
> Has anyone done any of this and perhaps understands what they're
> talking about?
> 

I have never done this (no apple clients) but if it works with one
version of apple OS but not a later version, surely this means
something changed in the apple OS and not in Samba. Perhaps you should
ask Apple just what they changed, if anything.
In the meantime, Samba has vfs_fruit, see 'man vfs_fruit' for more info.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba