[Samba] Samba4 member of an another « Samba4 » domain

Rowland Penny rpenny at f2s.com
Sun Apr 14 02:30:03 MDT 2013

On 14/04/13 07:00, steve wrote:
> On 14/04/13 01:37, François Lafont wrote:
>> Hello,
>> Le 13/04/2013 20:24, steve a écrit :
>>> You still have to add the objects. Yourself!
>> Ok, if I understand, after a provision of a domain with samba-tool 
>> and the "--use-rfc2307" option, samba4 can support posixaccount etc. 
>> in its database, but I have to add the object class and the mandatory 
>> attributes myself.
> It can do that whether you provision with --use-rfc2307 or not. I 
> believe that it adds the possibility of adding the uid:gid from 
> windows. I've never used windows for this.
>> But, after this:
>> -------------------------------------------
>> samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \
>>      --server-role=dc --dns-backend=SAMBA_INTERNAL 
>> --adminpass='+toto123' \
>>      --use-rfc2307
>> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
>> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>> # I had winbind in nsswitch.conf
>> sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1 
>> winbind/g' /etc/nsswitch.conf
>> samba
>> -------------------------------------------
>> I have a few users and groups which are already created:
>> # wbinfo -u
>> Administrator
>> Guest
>> krbtgt
>> # wbinfo -g
>> Enterprise Read-Only Domain Controllers
>> Domain Admins
>> Domain Users
>> Domain Guests
>> Domain Computers
>> Domain Controllers
>> Schema Admins
>> Enterprise Admins
>> Group Policy Creator Owners
>> Read-Only Domain Controllers
>> DnsUpdateProxy
>> Must I add "objectclass: posixAccount", "uid:...", uidNumber:..." 
>> etc. entries for each account above?
>> And must I add "objetclass: posixGroup", "gidNumber: ..." etc. 
>> entries for each group above?
> If you want to pull uid:gid from AD then you'll need to add uidNumber 
> and gidNumber for users and gidNumber for groups. All users which need 
> to login will need the attributes but there's no need to allocate 
> gidNumber to al the groups. Many of them have no meaning in Linux. 
> e.g. To begin with, just allocate a gidNumber to Domain Users. A good 
> way to decide which gidNumber to allocate is to take the RID of the 
> group and add, say, 20000 to keep it well away from local groups. As 
> the RID of Domain Users is 513 then our gidNumber becomes 20513.
> For users, we allocated our first user uidNumber 3000032 to avoid 
> collision with the xidnumbers which have to remain in idmap. Each 
> subsequent user increments this value. It's tedious doing this by hand 
> but easy to create an ldif which contains the values to add as and 
> when a new user is created.
>> Which uid/gid numbers should I use?
>> Without "posixAccount" "uid" "uidNumber" etc. entries, the domain 
>> accounts are automatically already allied to a uid number that I can 
>> see with "getent passwd":
>> # getent passwd Guest
>> CHEZMOI\Guest:*:3000011:3000012::/home/CHEZMOI/Guest:/bin/false
>> uid=3000011 although I have done no change in the Guest account.oming 
>> from /ur/
> Those uid:gid pairs are coming from idmap. idmap is not part of AD and 
> confuses the issue for many of us. If you are going to add more DC's, 
> these uid:gid's  will change depending upon which DC you refer to. 
> Probably (almost certainly) not what you want.
>> How choose Samba these uid/gid numbers (e.g 3000011/3000012) and how 
>> can I choose my uid/gid numbers in order that there is never conflict 
>> with uid/gid choose automatically by Samba?
> That is best answered by looking at:
> ldbsearch --url=/usr/local/samba/private/idmap.ldb
> There, you'll see the sids with the xidnumber that Samba has allocated 
> to them. This xidnumber becomes the uid or gid depending upon whether 
> the object is a user, group or both. A basic set of objects has to 
> remain in idmap so leave it as it is after provision. If you add the 
> line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the 
> provision has already done for you) then any new user or group object 
> that is created will not have an entry in idmap. You are then free to 
> add the necessary uid/gidNumbers to AD.
>> Another problem: just after provision, the 
>> /usr/local/samba/var/locks/sysvol/ repository is already created with 
>> particulary settings regarding the unix rights and the alc (with 
>> particulary uid/gid numbers). Must I change the (unix/acl) rights of 
>> this repository too ?
>>> There's another thread
>>> here at the moment about how or how not to do that.
> Some of us have given up on winbind for idmapping. There are easier 
> ways to get rfc2307 from the database which keep the uid:gid 
> consistent independent of which DC is consulted. nss-ldapd is one of 
> them and sssd seems to be gaining ground because of its simplicity. 
> I'm a strong believer in keeping things as simple as possible. Because 
> of this I believe that rfc2307 stuff should always be sourced from AD 
> and we should not use an external idmap
>> Where? I don't see it. Personally, I never succeed in the "rfc2307" 
>> working, until now.
>> My purpose is to have the same uid/gid numbers between 2 samba4 servers.
> Sorry, I can't access the list archive at the moment. The thread is 
> called 'Some clarification?'
> Cheers,
> Steve

The main problem is, as far as I see it, if you use winbind on the 
clients, you need to use the same smb.conf on all clients to get the 
same uidNumbers etc but they will still be different to the ones on the 
server. The reason? S4 winbind != S3 winbind, using winbind I cannot see 
any way round this, also you need to use rfc2307 and add the uidNumbers 

My feelings are that it is time to put winbind to rest and come up with 
something that pulls the info direct from AD based on the SID and use 
this on the server and clients.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list