[Samba] winbind: uid range is ignored

steve steve at steve-ss.com
Sat Aug 4 04:00:40 MDT 2012 

On 04/08/12 09:39, NdK wrote:
> Il 03/08/2012 16:21, steve ha scritto:
>
>> That's quite easy in Samba3 but which tdb's must I remove in Samba4? In
>> fact, how would I rejoin the DC to itself?
> You shouldn't use DCs for anything else other than DC. No file server.
> No gateway. *Nothing*. They're a crytical piece of your network
> infrastructure and must be as closed as possible.

Hi Diego. Hi everyone
I'd like to have a separate fileserver running s3fs on another Samba4 
installation. Could I do that by installing Samba4 and joining the 
domain as a member rather than a DC?
>
> The NFS server doesn't care about Samba at all: it reveives UIDs adn
> GIDs and stores 'em as given. No mapping happens here.
>
Yep. Got that bit

> What makes me think you have a *big* misunderstanding about what winbnd
> mapping does is this sentence from another message:
>> If winbind is doing the mapping correctly it should map 3000027 to
>> 3000002

Yes, I did misunderstand that. I've now adjusted my brain to match:-)


> No. Winbind maps back and forth between user *names* (and groups) and
> *UIDs* (and GIDs), not between server UIDs and local GIDs ! It doesn't
> know if an UID is local or from a server.
>
> So, that means that (given no other kind of access to the NFS server is
> allowed) it's enough that all your *clients* use the same mapping
> between SIDs and UIDs/GIDs and you're OK. If not, you have a big problem.
>
> You have many ways to obtain that "same mapping" objective. I chose to
> use rid 'cause I couldn't modify my AD schema. But the preferred way is
> extend AD schema and specify there the UIDs and GIDs.

You don't have to extend the schema. You can store all the rfc2307 
attributes and objects (posixAccount, posixGroup, uidNumber,gidNumber. . 
.) in the m$ schema that ships with S4.

>
> Hope this helps to clarify.

Yes it does. Thank you.

My aim is to have:
idmap config : MYDOMAIN : backend = ad
and
idmap config : MYDOMAIN : range = abc-def

recognised and with the uidNumber and gidNumber attributes being pulled 
from AD rather than any other mapping. To this end I have a test user 
user object with:
objectClass: posixAccount
uidNumber: xyz
gidNumber abc

and a test group object:

objectClass: posixGroup
gidNumber: abc

I assume that with the ad backend both the user and group will come from 
AD and not idmap.

Just waiting for the test lan to install and compile a totally new 
openSUSE 12.1 with Samba4 and a vBox openSUSE client, also fresh install.

How am I doing?
Cheers,
Steve

More information about the samba mailing list