wellknown and uid/gid interactions on multi DC samba AD domain
steve at steve-ss.com
Tue May 13 09:45:31 MDT 2014
On Tue, 2014-05-13 at 17:14 +0200, Daniele Dario wrote:
> Hi Steve,
> On mar, 2014-05-13 at 16:48 +0200, steve wrote:
> > On Tue, 2014-05-13 at 16:21 +0200, Daniele Dario wrote:
> > > Now I'd try again so can somebody address me on the right way to proceed
> > > or suggest alternative ways to backup data?
> > >
> > > Which would be the objects to "posixify"?
> > Add uidNumber and gidNumber to all your users. Add gidNumber to Domain
> > Users and any other domain groups that your users are members of. There
> > is no need to add posixAccount or posixGroup classes unless you need
> > them.
> > > Only users/groups I created on the domain?
> > No.
> > > Also machine accounts have to be posixified?
> > No.
> > > Is there a way to be sure to avoid overlappings?
> > Yes. Do:
> > getent passwd
> > look at the highest uid you get. Here, I'm 1000:
> > steve:x:1000:100::/home/steve:/bin/bash
> > The AD uids start at 10000 for 2307 schema setups where you provisioned with --use-rfc2307. Samba4 map from 3000000 upwards. We use the latter range for our user uidNumbers.
> > For groups, choose a gidNumber which helps with recognition. We use 20513 for Domain Users for example.
> > If you add local users to any DC, make sure that you allocate a uid below either 10000 or 3000000.
> > Good luck this time around
> > Steve
> thanks for the tips.
> Can you please clarify what does "add uidNumber and gidNumber" ...?
> How do I do that? Is there a specific command (samba-tool or something
> like that) or do I use ldbmodify? Where can I find some example?
You can use the UNIX tab in ADUC, ldbmodify or ldbedit.
ldbmodify is quicker once you have a template ldif and it works for
groups too. If you have only a few users, go for ldbedit. You can choose
your own editor too if you don't like vi. Oh and DON'T edit or add to
entries directly. Point the edits at sam.ldb
> Than can you make an example for uids having this from getent passwd
Assuming that these are the values that you have added to the directory
yourself then this looks fine except that I wouldn't want a windows
domain administrator having root access on my DC!
If these are winbind mappings then you'll have to add them as uidNumber
and gidNumber yourself. Retain the numbers.
> and getent groups
> SAITEL\Enterprise Read-Only Domain Controllers:*:3000042:
> SAITEL\Domain Admins:*:3000011:
> SAITEL\Domain Users:*:100:
Yeah. Also OK. I'd move Domain Users away from 100. Again, it looks as
though these are winbind mappings. Add them to the groups as gidNumber.
> Thanks for your kind help,
More information about the samba-technical