[Samba] Question about samba 4 member server of a pure Windows AD
Stéphane PURNELLE
stephane.purnelle at corman.be
Mon Aug 3 07:43:09 UTC 2015
Hi,
A account created with samba3/ldap (created before 2014-02-20):
SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3216
UidNumber : 1108
A account created with Users and computers (samba 4 AD DC)
SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-5878
uidNumber : 10023
My actual config (in file-server) :
idmap config XXXXXX:backend = ad
idmap config XXXXXX:schema_mode = rfc2307
idmap config XXXXXX:range = 1005-40000
If I apply RID backend :
ID = RID - BASE_RID + LOW_RANGE_ID.
For the first account :
3216 - 0 + 1005 = 4221 => bad must be 1108
For the latest created account :
5878 - 0 + 1005 = 6883 => bad must be 10023
if generated uidNumber not the same that actual uidNumber, I will lose my
ACL.
regards
Stéphane Purnelle
De : Rowland Penny <rowlandpenny241155 at gmail.com>
A : samba at lists.samba.org,
Date : 02/08/2015 20:27
Objet : Re: [Samba] Question about samba 4 member server of a pure Windows
AD
Envoyé par : "samba" <samba-bounces at lists.samba.org>
On 02/08/15 17:31, Stéphane PURNELLE wrote:
> Hi,
>
> I don't think that rid backend will work, because when we start samba
> (samab 2.2.8a) lower uid was 1000, but when we moved to samba 4, power
uid
> was put to 10000.
> That's mean new user and group use uidNUmber or groupNUmber > 10000. But
> we have old account and group with uid or gid < 10000
>
>
> regards
>
> Stéphane Purnelle
>
>
> "samba" <samba-bounces at lists.samba.org> a écrit sur 31/07/2015 22:42:23
:
>
>> De : Rowland Penny <rowlandpenny241155 at gmail.com>
>> A : samba at lists.samba.org,
>> Date : 31/07/2015 22:51
>> Objet : Re: [Samba] Question about samba 4 member server of a pure
> Windows AD
>> Envoyé par : "samba" <samba-bounces at lists.samba.org>
>>
>> On 31/07/15 20:43, Stéphane PURNELLE wrote:
>>> Hi,
>>>
>>> Actually, we have a samba 4 AD DC and 2 samba 4 AD member server as
>>> file-server.
>>> But my company is member of a group who have i proper AD (A windows AD
>>> server)
>>>
>>> I don't know if the windows AD has implemented rfc2307 and if the
> sysadmin
>>> of the windows AD can add rfc2307.
>>>
>>> I just would like to know if there are alternative for have uid <> sid
>>> mapping without rfc2307.
>>> LIke extract uid from windows SID (based on algorithm uid = uid*2 +
> 1000
>>> or something like this)
>>>
>>> thank you for your help
>>>
>>> Stéphane Purnelle
>> Yes, it is called the 'rid' backend, see 'man idmap_rid'
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
If you use the rid backend, any uidNumbers & gidNumbers in AD are
ignored, the users UID will be calculated from this: ID = RID - BASE_RID
+ LOW_RANGE_ID
So if you have two users with the RIDs of 9999 & 10001, their UIDs would
be this (note BASE_RID is 0 unless set in smb.conf), LOW_RANGE_ID would
be set to 3000
UID = 9999 - 0 + 3000
Which would become: UID = 12999
UID = 10001 - 0 + 3000
Which would become: UID = 13001
These are just a couple of examples, from which I hope you can see,
provide you set the LOW_RANGE_ID lower than your lowest RID, it should
work, of course you will probably have to set the builtin range way
above your workgroup range.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list