[Samba] rid mapping works on member server but not DC

Rowland Penny rowlandpenny at googlemail.com
Sun Apr 12 07:34:45 MDT 2015 

On 12/04/15 13:50, Jonathan Hunter wrote:
> Thank you Rowland, that clearly explains why it isn't working for me.
> Appreciated.
>
> I was trying to achieve my goal of having two domain controllers for
> redundancy, without having additional physical machines - it looks
> like I'm now in the same boat as the other current thread ("Domain
> controller in a chroot"), which is unfortunate! :(
>
> My scenario is that I have one ESXi physical host, running a VM with
> one DC in it, and one CentOS 6 physical machine, running the other DC
> but also acting as a file server (and with inconsistent UIDs).
>
> In order to get this CentOS 6 host running as both a DC and file
> server, with consistent UIDs, it looks like I will need to either
> - use the 'ad' backend
> - somehow run samba locally as a member server, and for redundancy
> also run samba as a DC via something like Docker (which I don't think
> will work due to the need to expose the DC ports, IP etc. to the rest
> of the domain), or

You could run the centos machine as a fileserver with your second DC in 
VM running on it.

> - perhaps use sssd? (which I haven't yet investigated, to be honest)

You could try sssd, this has a backend like the winbind backend and will 
also work on the DC (well it did the last time I tried it, which was 
some time ago) .

>
> I was reluctant to go down the 'ad' backend route simply because from
> what I can see, there is then the risk of a Windows admin for any part
> of the AD tree being able to 'impersonate' any UNIX user by simply
> changing the uidNumber of a user in that part of the tree, isn't
> there? (within range limits). Whereas with RID mapping the UID is
> algorithmically determined and would need co-operation from the UNIX
> host's admin, instead.

All things come with risks, do you really not trust your co-workers ?? 
Also there are probably easier ways of getting access to users data.

> Or am I over-thinking this? I understand that with 'ad' mapping, at
> least the current max UID is stored somewhere in LDAP and
> automatically applied to new users, so the administrative burden for
> adding new users is reduced, once each existing user has a
> uidNumber/gidNumber allocated.

Yep, I think you are definitely over-thinking this and yes, once the 
correct attributes are added to AD and the correct tools are used to add 
users (samba-tool at this time isn't one of them) you can get the 
uidNumber attribute added automatically.

Rowland
> Thanks!
>
> Jonathan

More information about the samba mailing list