Re: [Samba] idmap config ad
- Date: Mon, 28 Jan 2019 15:38:41 +0100
- From: Viktor Trojanovic via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] idmap config ad
On 28.01.2019 15:27, Rowland Penny via samba wrote:
On Mon, 28 Jan 2019 09:10:58 -0500
Sonic via samba <samba@xxxxxxxxxxxxxxx> wrote:
Trying to use the idmap config ad on a domain member. The AD is an
actual Windows server and when logged in the AD server running ADUC
the NIS domain field on the UNIX attributes tab only shows a dash and
is cannot be changed.
Does Domain Users have a gidNumber attribute containing a number
inside the 10000-99999' range ?
Do any Active directory groups have such a gidNumber ?
Domain member is RHEL 7.6 running Samba 4.8.3.
Pertinent part of smb.conf:
security = ADS
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
server string = mydomain
kerberos method = secrets and keytab
winbind refresh tickets = yes
idmap config * : backend = tdb
idmap config * : range = 3000-8999
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 10000-99999
idmap config MYDOMAIN : unix_nss_info = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
The documentation seems to strictly point to using a Samba AD with the
RSAT utility and here we're logged right on to the Windows AD using
the native ADUC application.
ADUC is part of RSAT and the Samba 'ad' backend works in the same way
that the Unix Attributes tab dows.
I read this post and started wondering myself. If the DC is a Windows
one, then I assume uid and gid creation is being handled automatically
by Windows Server. If that's correct, then I assume the ad backend is
the best one to use as the disadvantages mentioned in the wiki all
disappear, leaving only advantages. So, one only had to make sure that
the uids and gids created in the AD are within the range mentioned in
the smb.conf. Which begs the question, is it possible to influence this?
To unsubscribe from this list go to the following URL and read the