[Samba] Winbind troubles

Rowland Penny rowlandpenny at googlemail.com
Tue Jul 23 07:20:31 MDT 2013 

OK, the documentation is better but people still get it wrong probably
because it is more complex than it needs to be, I personally find it easier
to set sssd up, but that is just me.

Why use a word like orthogonal?, just who knows what orthogonal means, I
have only being speaking english for 56 years and have never used that word
in a sentence, just say what you mean and do not hide behind gobbledy-gook.

>From what I can see the BUILTIN uids come from windows (and are called
SID's) and there they are set in stone.

from the sssd-1.9.0 announcement

  - Add a new PAC responder for dealing with cross-realm Kerberos trusts

Your turn ;-)

Rowland


On 23 July 2013 13:48, Jonathan Buzzard <jonathan at buzzard.me.uk> wrote:

> On Tue, 2013-07-23 at 11:55 +0100, Rowland Penny wrote:
>
> [SNIP]
>
> >
> > I thought that testparm did exactly that, it tested all the parameters
> > in smb.conf, so if the ranges overlap, it should report the error.
> >
>
> You thought wrong then. It tests to see if they are valid so 1000-akjf
> is invalid and will throw an error, 1000-2000 is valid and will not
> throw an error even if it overlaps with some other range.
>
> >
> > Darned right it is confusing.
> >
>
> It was confusing because the documentation at the time was not complete.
> That is no longer the case.
>
> >
> > Yet people still get it wrong.
> >
>
> There is no accounting for what some people do. I have just checked and
> a Google search for "winbind ad rfc2307 setup" give a top hit that
> explains the ranges must be orthogonal.
>
> >
> > Why are the BUILTIN uid's & gid's not set in stone? and noted
> > somewhere and users told 'do not use this range'
> >
>
> Because your set in stone range might already be allocated in the AD.
> Not all Samba servers are green field deployments. Some/many have to
> integrate into already existing environments and hence admins need the
> flexibility to adapt to the environment they find themselves in.
>
> >
> >         Also winbind can handle multiple domains so it needs to know
> >         which
> >         domain to use to lookup a given UID or GID in.
> >
> >
> > sssd can do this very easily, so your point is?
> >
>
> That is the one thing that sssd cannot do. At least according to the
> documents I have read multiple domains with cross domain trusts equals
> use winbind.
>
> Either way there is no way for either sssd or winbind to known which of
> the potential multiple domains it should look that up in. You could I
> guess take a sledgehammer approach and look it up in all the domains,
> but I can think of lots of reasons why that would not be a good idea.
>
>
> JAB.
>
> --
> Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
> Fife, United Kingdom.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list