Web lists-archives.com

Re: [Samba] idmap config ad





On 28.01.2019 15:27, Rowland Penny via samba wrote:
On Mon, 28 Jan 2019 09:10:58 -0500
Sonic via samba <samba@xxxxxxxxxxxxxxx> wrote:

Trying to use the idmap config ad on a domain member. The AD is an
actual Windows server and when logged in the AD server running ADUC
the NIS domain field on the UNIX attributes tab only shows a dash and
is cannot be changed.
Does Domain Users have a gidNumber attribute containing a number
inside the 10000-99999' range ?

Do any Active directory groups have such a gidNumber ?

Domain member is RHEL 7.6 running Samba 4.8.3.

Pertinent part of smb.conf:
=====================================
[global]
         security = ADS
         workgroup = MYDOMAIN
         realm = MYDOMAIN.LOCAL
         server string = mydomain

         kerberos method = secrets and keytab
         winbind refresh tickets = yes

         idmap config * : backend = tdb
         idmap config * : range = 3000-8999
         idmap config MYDOMAIN : backend = ad
         idmap config MYDOMAIN : schema_mode = rfc2307
         idmap config MYDOMAIN : range = 10000-99999
         idmap config MYDOMAIN : unix_nss_info = yes

         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes
=====================================

The documentation seems to strictly point to using a Samba AD with the
RSAT utility and here we're logged right on to the Windows AD using
the native ADUC application.
ADUC is part of RSAT and the Samba 'ad' backend works in the same way
that the Unix Attributes tab dows.

Rowland

Hi Rowland,

I read this post and started wondering myself. If the DC is a Windows one, then I assume uid and gid creation is being handled automatically by Windows Server. If that's correct, then I assume the ad backend is the best one to use as the disadvantages mentioned in the wiki all disappear, leaving only advantages. So, one only had to make sure that the uids and gids created in the AD are within the range mentioned in the smb.conf. Which begs the question, is it possible to influence this?

Viktor



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba