[Samba] ADS Domain Member smb.conf using idmap_ad

Freeman flo at email.unc.edu
Wed Nov 23 08:37:05 MST 2011 

On 11/23/2011 08:44 AM, TAKAHASHI Motonobu wrote:
> Firstly, I recommend that you configure both Active Directory and
> Samba to configure Winbind in your lab.
>
> From: Freeman<flo at email.unc.edu>
> Date: Wed, 23 Nov 2011 08:17:55 -0500
>
>>> Have you already set values into "UNIX attributes" for every user you
>>> want to "activate" under Winbind.
>> I believed on the windows side, the windows admin had already mapped the
>> unix user uid/gid to the windows domain via some windows/unix converter
>> tool.
> You need to confirm what was done, I think.
The unix ID which were mapped to the windows domain on the server 2008 
RC 2 are all from central campus user ID, not the user ID local to me 
where i have set up a small NIS service for the 25 people i support. The 
campus uid/gid is comprehensive. The range of uid from campus varies 
from low values to high values. These uid are coming from campus's unix 
uid passwd file, which were manually mapped to the campus's windows 
domain by the local windows admin for all 25 staff.

As far as unix attributes, the uid(s) from campus for all 25 of us were 
set but propbably nothing else. I am not sure of what other unix 
attributes were made available onto the windows side. I am also unaware 
as to what other tasks that needed to be done on the windows side to 
have the uid properly mapped. The local windows admin only told me that 
all he did was to edit the domain table for each of the 25 users with 
campus uid and gid.
>> idmap config AD : default = yes
>> idmap config AD : cache time = 180
>> idmap config AD : backend  = ad
>> # idmap config AD : range = 100001-200000
>> idmap config AD : schema_mode = rfc2307
> Of cource, uid/gids are set between 100001-200000 on Active Directory?
>
These uid and gid will be using from campus's passwd file. I have to 
locate all 25 staff including myself in order to come up with a range.  
There is no consistency as in the uid value from campus. It all depends 
when this person was accepted into the university as a student or was 
hired.  This will be painful. I have to grep on that passwd / groups 
file to see all of their uid and gid.
> If you set "idmap config AD : range = 100001-200000", all uid/gids
> except 100001-200000 cannot be mapped. Also remember an user whose
> primary group cannot be mapped is failed to map.
>
Thanks, this is good to know.
>> idmap config AD : schema_mode = rfc2307
>> I am running samba version: Version 3.5.11-79. fc14. Trying to join
>> linux servers to the windows 2003 domain by running winbind and smb.  I
> Your AD's DCs are Windows Server 2003 or Windows Server 2003 R2?
> If Windows Server 2003, you use sfu instead of rfc2307. See
>    http://support.microsoft.com/kb/921599/en-us
>
my apologies, i am lacking skills on the understanding of windows 
domain. Campus is running 2008 RC2 server. so, rfc2307 will work for me 
instead of sfu ?
>> I thought the uid/gid mapping to the sid is all done by either
>> winbind or samba, if smb.conf is configured properly.
> Again I have to say that uid/gid does not have nothing to do with
> SID/RID.
>
> Setting "idmap backend = ad" only enables that uid/gid/shell and
> homedir values are retrieved from those set in "UNIX attributes",
> which does not mean to map to SID.
>
>> The goal is pretty simple, we would like to have all of the linux
>> machines joining the campus windows AD domain as a member. Instead of
>> using the NIS account with all of the linux machine, we would like to
>> log onto the linux servers with the domain account from the window side
>> and to mount a windows share upon a user log in.
> If you keep current uid/gids maintained by NIS, you should use
> idmap_ad(8). If not, idmap_rid(8) is easy to configure.
>
thank you again in explaining to be the difference. i am about 99% 
certain i would have to go with idmap_ad since the uid/gid from 
groups/passwd files are manually added into campus's windows active 
directory.

would my configuration be accurate for someone who wishes to join a 
windows 2008 RC2 domain with proper access to windows shares ?
    idmap backend = tdb <-- the value here i am unsure
    idmap config AD : default = yes
    idmap config AD : cache time = 180
    idmap config AD : backend  = ad


what are these two settings then ? Are they significant ?
    idmap uid = 1000-5000000
    idmap gid = 1000-5000000

  I would have to query the campus passwd file to see what might be a 
possible range for the line below.
  idmap config AD : range = XXX-XXX

freeman
> ---
> TAKAHASHI Motonobu<monyo at samba.gr.jp>

More information about the samba mailing list