[Samba] Samba4 member of an another « Samba4 » domain

François Lafont flafdivers at free.fr
Sun Apr 14 19:17:40 MDT 2013

Le 14/04/2013 08:00, steve a écrit :

>> Ok, if I understand, after a provision of a domain with samba-tool and
>> the "--use-rfc2307" option, samba4 can support posixaccount etc. in
>> its database, but I have to add the object class and the mandatory
>> attributes myself.
> It can do that whether you provision with --use-rfc2307 or not. 

Are you sure? In this case, I won't use this option.

> I
> believe that it adds the possibility of adding the uid:gid from windows.
> I've never used windows for this.

Me too. I prefer to manage the AD in the samba server.

> If you want to pull uid:gid from AD then you'll need to add uidNumber
> and gidNumber for users and gidNumber for groups. 

And "memberUid" too for groups, isn't it? 

> All users which need
> to login will need the attributes but there's no need to allocate
> gidNumber to al the groups. Many of them have no meaning in Linux. e.g.
> To begin with, just allocate a gidNumber to Domain Users. A good way to
> decide which gidNumber to allocate is to take the RID of the group and
> add, say, 20000 to keep it well away from local groups. As the RID of
> Domain Users is 513 then our gidNumber becomes 20513.
> For users, we allocated our first user uidNumber 3000032 to avoid
> collision with the xidnumbers which have to remain in idmap. 

I don't think that 3000032 is a good uidNumber because idmap seems to use the "3000000-4000000" range.

>> # getent passwd Guest
>> CHEZMOI\Guest:*:3000011:3000012::/home/CHEZMOI/Guest:/bin/false
>> uid=3000011 although I have done no change in the Guest account.oming
>> from /ur/
> Those uid:gid pairs are coming from idmap. idmap is not part of AD and
> confuses the issue for many of us. If you are going to add more DC's,
> these uid:gid's  will change depending upon which DC you refer to.
> Probably (almost certainly) not what you want.

Absolutely. :)

>> How choose Samba these uid/gid numbers (e.g 3000011/3000012) and how
>> can I choose my uid/gid numbers in order that there is never conflict
>> with uid/gid choose automatically by Samba?
> That is best answered by looking at:
> ldbsearch --url=/usr/local/samba/private/idmap.ldb

Ok, it's a good answer indeed. And I can see:

# ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=config
# record 1
lowerBound: 3000000
upperBound: 4000000
xidNumber: 3000017
distinguishedName: CN=CONFIG

Then, I understand that idmap uses the "3000000-4000000" range to assign xidNumber to the users and groups.

> There, you'll see the sids with the xidnumber that Samba has allocated
> to them. This xidnumber becomes the uid or gid depending upon whether
> the object is a user, group or both. A basic set of objects has to
> remain in idmap so leave it as it is after provision. If you add the
> line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the
> provision has already done for you) then any new user or group object
> that is created will not have an entry in idmap. You are then free to
> add the necessary uid/gidNumbers to AD.

Yes, indeed:

# grep 'rfc' /usr/local/samba/etc/smb.conf 
	idmap_ldb:use rfc2307 = yes

# samba
# samba-tool user add test4 "test4"
User 'test4' created successfully

# ldbsearch --url=/usr/local/samba/private/sam.ldb cn=test4 | grep -i objectsid
objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106

# ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=S-1-5-21-3840058276-1254623269-3939424142-1106
# returned 0 records
# 0 entries
# 0 referrals

But after this:

# getent passwd test4

the idmap entry is automatically created:

# ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=S-1-5-21-3840058276-1254623269-3939424142-1106
# record 1
dn: CN=S-1-5-21-3840058276-1254623269-3939424142-1106
cn: S-1-5-21-3840058276-1254623269-3939424142-1106
objectClass: sidMap
objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106
xidNumber: 3000019
distinguishedName: CN=S-1-5-21-3840058276-1254623269-3939424142-1106

I have noticed that I have exactly the same behavior without the "idmap_ldb:use rfc2307 = yes" option. Then, I don't see exactly the meaning of this option...

> Sorry, I can't access the list archive at the moment. The thread is
> called 'Some clarification?'

Ok, I see.

Thanks a lot for yours explanations Steeve. It's become more clean in my mind. :)

François Lafont

More information about the samba mailing list