[Samba] Samba AD PDC , LDAP and Single-Sign-On

[Mark Foley]

Thanks again for your quick reply ...

You wrote:

> > $ wbinfo -i mark
> > HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false
>
> Ah but those numbers *do not* come from AD, they come from 'idmap.ldb'

Hmmm, so my Samba4 assigned them when I ADUC-added the user? Maybe this is not
an answerable question, but why is it picking those GID/UIDs? Why is it not
picking 100000:100000 since other things (like member server) are expecting
something in that range? Is this a configuration option I could have set in my
AD smb.conf? That smb.conf was auto-generated by samba-tool provision, so that
seems like a good place to create a default idmap.

Anyway, that's water under the bridge ...

> > Can I work with what I have or should I change these?
>
> You can work with what you have got, but you don't have to, you can 
> change them and if you are only going to use ADUC, I can point you at a 
> couple of attributes that will make it easier to create unix users, 
> these attributes will store the next uidNumber & gidNumber in AD.

Yes, point me! Even if I don't go that route now, I should know how to do that.
I will definitely be adding more users in the future.

> > How do you recomend I proceed with my idmap range configuration?
>
> /It is up to you, but I would use lower numbers

Here's a bit of a wrinkle I haven't mentioned yet that would incline me to stick
with what I have ...

I've also added these users to /etc/[password|shadow]. So, for the wbinfo shown
above I have in /etc/passwd:

mark:x:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash

I'm doing this for the sake of email.  This AD server is also the email server. 
The email agents I'm using: sendmail, procmail, dovecot don't seem to understand
AD authentication (well, dovecot might via the LDAP mechanism, but I've not been
able to get that to work after many months of trying).  So, sendmail, via
procmail and .procmailrc, delivers mail to the user's Maildir folder in their
home directories -- which are all owned by e.g. 100:300000xx -- from where
Dovecot picks them up for delivery to Outlook and other email clients.

Furthermore, since this AD/DC server is acting as a SBS replacement, the
/redirectedFolders/User/username files and directories are also owned by their
respective users' GID:UID.

So, I *could* change ownership of the users's home [sub]directories, redirected
folder [sub]directories and /etc/passwd UID:GID, but I'd rather not if I don't
have to. 

Critiques of the above are welcomed.

If, as you say, I can work with what I have, what would my 'member server' idmap
statements look like?

idmap config *:backend = tdb
idmap config *:range = 100-3000099
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 100-3000099

Does the range have to include the GID? (100)

Frankly, even after reading the 
https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html wiki, I don't
really get the differentiation between 'idmap config *' and 'idmap config DOMAIN'

Do I have to have something similar on the AD/DC? Right now, there are no idmap
statements in that smb.conf.

Thanks for your time (and patience), --Mark

-----Original Message-----
> Date: Fri, 09 Oct 2015 19:25:18 +0100
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>
> On 09/10/15 18:09, Mark Foley wrote:
> > Rowland - thanks for your reply. I did send a message after this one you
> > responded to with several other questions, but I'll pursue questioning on
> > GID/UID in this reply as that is what you've mainly discussed. But, please check
> > out that next email for other questions. Thanks.
> >
> > For a particular domain user in the AD, wbinfo gives:
> >
> > $ wbinfo -i mark
> > HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false
>
> Ah but those numbers *do not* come from AD, they come from 'idmap.ldb'
> You can change them easily by adding a uidNumber to each user and a 
> gidNumber to Domain Users. What numbers you use is up to you, but ADUC 
> starts them at '10000'. Another thing that you should be aware of is, 
> the numbers you refer to will only occur on a DC, you will never see 
> them on a Unix member server or workstation.
>
> >
> > Main question: what should the range settings be in my client smb.conf? Or, are
> > these really bad GID/UIDs to use and I should change them?
>
> See the smb.conf on the member server wiki page, just be aware that you 
> can use the same range for users and groups i.e. the uidNumber 10000 is 
> not the same as gidNumber 10000
>
> > Background: why do I have these GID(100) UIDs(300000xx)? The answer is that I
> > created domain users on the AD via RSAT > Active Directory Users and Computers.
> > These are apparently the GID and UID range assigned by default. The ADUC >
> > username > properties > Unix Attributes, UID and GID fields are blank, so I
> > guess 100:30000xx are picked by default.
>
> Yes, as I said, they are set in idmap.ldb by samba and no you don't have 
> to use them
>
> >
> > Can I work with what I have or should I change these?
>
> You can work with what you have got, but you don't have to, you can 
> change them and if you are only going to use ADUC, I can point you at a 
> couple of attributes that will make it easier to create unix users, 
> these attributes will store the next uidNumber & gidNumber in AD.
>
> > There are no other actual local users on either the AD or client aside from me
> > (100:1000 mfoley) other than the built-in accounts (root, bin, daemon, adm, lp
> > ...) and services accounts (dovecot, spamd, mysql, ...).  No other actual local
> > users.
> >
> > How do you recomend I proceed with my idmap range configuration?
>
> /It is up to you, but I would use lower numbers
>
> /Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>