[Samba] Samba AD PDC , LDAP and Single-Sign-On
Mark Foley
mfoley at ohprs.org
Sat Oct 10 07:26:38 UTC 2015
On Sat, 10 Oct 2015 16:07 Andrew Bartlett wrote
> For the pain that you are about to endure, I can only offer my apologies.
Apologies accepted! :) Seriously though, the Samba team has done a great job
with the AD stuff. I was pretty much able to drop Samba4 in as a replacement
for our SBS 2008 with virtually no issues. What issues I had were mostly
Microsoft idiosyncracies (refer to my GPO rant to Rowland). I used the
Slackware as-shipped Samba4, provisioned (with BIND9_FLATFILE), added users
with RSAT ADUC and Win7 domain users were none the wiser, everything just
worked: redirected folders, RDC, SLQ Server "Windows Authentication", etc. Good
job!
My quest to replace Micrsoft continues ...
For my immediate need, I'd like someone to give me the proverial "fish" and I'll
"learn to fish" later. Given that my AD domain users are group 100, and the AD
users UID range is 3000000-3000099, what should my idmap config settings look
like in the wiki-adapted 'member server' smb.conf shown below? Just tell me the
right answer, I'll figure out why later.
[global]
netbios name = uCommon
workgroup = HPRS
security = ADS
realm = HPRS.LOCAL
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = ???-???
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = ???-???
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
[demoshare]
path = /srv/samba/test
read only = no
Thanks, --Mark
-----Original Message-----
> From: Andrew Bartlett <abartlet at samba.org>
> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
> Date: Sat, 10 Oct 2015 16:07:22 +1300
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>
> On Fri, 2015-10-09 at 21:08 -0400, Mark Foley wrote:
> > Thanks again for your quick reply ...
>
> > Frankly, even after reading the
> > https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html wiki, I
> > don't
> > really get the differentiation between 'idmap config *' and 'idmap
> > config DOMAIN'
> >
> > Do I have to have something similar on the AD/DC? Right now, there
> > are no idmap
> > statements in that smb.conf.
> >
> > Thanks for your time (and patience), --Mark
>
> For the pain that you are about to endure, I can only offer my
> apologies. As Rowland and others on the list will quickly point out,
> this is an area that is far from satisfactory. All the solutions are a
> compromise of one kind or another, from the nature of compressing a 128
> -bit (or more) SID value into a 32 bit UID or GID value.
>
> Almost every new Samba team member starts with a desire to finally
> implement the 'perfect' solution here, but the result of that desire
> colliding with reality has ended up with a despairing 'let the admin
> specify what they want'.
>
> One way of doing that is to manually fill in the uidNumber and
> gidNumber values, and then tell the client and server to use that.
> Samba has trouble doing that in a race-free way, and so far declines to
> be as helpful it could be.
>
> Sorry,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list