Web lists-archives.com

Re: [Samba] idmaps, again




On Fri, 22 Mar 2019 10:38:26 +0100
"Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> Am 21.03.19 um 22:42 schrieb Rowland Penny via samba:
> > On Thu, 21 Mar 2019 22:34:02 +0100
> > "Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> >   
> >> Am 21.03.19 um 19:54 schrieb Rowland Penny via samba:
> >>  
> >>> This is one of the decisions you have to make, do you want to have
> >>> the same ID's everywhere, or just on Unix domain members ?     
> >>
> >> We only have one Unix domain member aside from the DCs and that is
> >> the samba file server.
> >>  
> >>> Do you want to
> >>> set different login shells and/or different home directories ?    
> >>
> >> nope
> >>
> >> the AD users don't do ssh or bash or so ... "only" file access and
> >> stuff like login/logout and GPOs etc
> >>
> >> (only I and the main admin there use ssh to the servers ...)  
> > 
> > Then you don't really need to be using the 'ad' backend.
> >   
> >>  
> >>> If you want the same ID's everywhere and the ability to set
> >>> different login shells/homedirectories for your users, then you
> >>> must use the 'ad' backend, this does involve adding uidNumber
> >>> attributes to the user objects. This is what the Unix Attributes
> >>> tab used to do.
> >>>
> >>> If none of the above applies, then you can use the 'rid' backend,
> >>> this will give you the same ID's on all Unix domain members, but
> >>> all users that connect to the computer will get the same login
> >>> shell and homedirectory, you also will not have to add anything to
> >>> AD.    
> >>
> >> And is it possible to change the backend from ad to rid with
> >> reasonable effort?  
> > 
> > Yes and then again no ;-)
> > 
> > Yes, it is easy to change from 'ad' to 'rid', but you would also
> > have to change the file ownerships as well.  
> 
> ok, but that doesn't sound too bad: rather generic permissions there,
> we could solve that with some chmod-runs, I assume.
> 
> They basically use one fat share and have rather simple ACLs in place.

It only really gets complicated if you have multiple shares and lots of
users.

> 
> Is there a specific procedure to follow for this change or is it
> simply editing smb.conf on the DM, restart, and editing the
> permissions?

Yes, that is basically it, the only thing I would add is to run 'net
cache flush' after restarting Samba.

> 
> Would the users itself need some editing as well (inside LDAP/AD)?

This is really up to you, you could, if you so wish, remove all the
rfc2307 attributes from AD, or you could just ignore them.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba