[Samba] Question about samba 4 member server of a pure Windows AD

Stéphane PURNELLE stephane.purnelle at corman.be
Mon Aug 3 07:43:09 UTC 2015 

Hi,

A account created with samba3/ldap (created before 2014-02-20): 

SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3216
UidNumber : 1108

A account created with Users and computers (samba 4 AD DC)

SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-5878
uidNumber : 10023


My actual config (in file-server) : 
idmap config XXXXXX:backend = ad 
idmap config XXXXXX:schema_mode = rfc2307
idmap config XXXXXX:range = 1005-40000

If I apply RID backend : 

ID = RID - BASE_RID + LOW_RANGE_ID.

For the first account : 
3216 - 0 + 1005 = 4221 => bad must be 1108

For the latest created account : 
5878 - 0 + 1005 = 6883 => bad must be 10023

if generated uidNumber not the same that actual uidNumber, I will lose my 
ACL.

regards

        Stéphane Purnelle




De :    Rowland Penny <rowlandpenny241155 at gmail.com>
A :     samba at lists.samba.org, 
Date :  02/08/2015 20:27
Objet : Re: [Samba] Question about samba 4 member server of a pure Windows 
AD
Envoyé par :    "samba" <samba-bounces at lists.samba.org>



On 02/08/15 17:31, Stéphane PURNELLE wrote:
> Hi,
>
> I don't think that rid backend will work, because when we start samba
> (samab 2.2.8a) lower uid was 1000, but when we moved to samba 4, power 
uid
> was put to 10000.
> That's mean new user and group use uidNUmber or groupNUmber > 10000. But
> we have old account and group with uid or gid < 10000
>
>
> regards
>
>          Stéphane Purnelle
>
>
> "samba" <samba-bounces at lists.samba.org> a écrit sur 31/07/2015 22:42:23 
:
>
>> De : Rowland Penny <rowlandpenny241155 at gmail.com>
>> A : samba at lists.samba.org,
>> Date : 31/07/2015 22:51
>> Objet : Re: [Samba] Question about samba 4 member server of a pure
> Windows AD
>> Envoyé par : "samba" <samba-bounces at lists.samba.org>
>>
>> On 31/07/15 20:43, Stéphane PURNELLE wrote:
>>> Hi,
>>>
>>> Actually, we have a samba 4 AD DC and 2 samba 4 AD member server as
>>> file-server.
>>> But my company is member of a group who have i proper AD (A windows AD
>>> server)
>>>
>>> I don't know if the windows AD has implemented rfc2307 and if the
> sysadmin
>>> of the windows AD can add rfc2307.
>>>
>>> I just would like to know if there are alternative for have uid <> sid
>>> mapping without rfc2307.
>>> LIke extract uid from windows SID (based on algorithm uid = uid*2 +
> 1000
>>> or something like this)
>>>
>>> thank you for your help
>>>
>>>           Stéphane Purnelle
>> Yes, it is called the 'rid' backend, see 'man idmap_rid'
>>
>> Rowland
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

If you use the rid backend, any uidNumbers & gidNumbers in AD are 
ignored, the users UID will be calculated from this: ID = RID - BASE_RID 
+ LOW_RANGE_ID

So if you have two users with the RIDs of 9999 & 10001, their UIDs would 
be this (note BASE_RID is 0 unless set in smb.conf), LOW_RANGE_ID would 
be set to 3000

UID = 9999 - 0 + 3000
Which would become: UID = 12999

UID = 10001 - 0 + 3000
Which would become: UID = 13001

These are just a couple of examples, from which I hope you can see, 
provide you set the LOW_RANGE_ID lower than your lowest RID, it should 
work, of course you will probably have to set the builtin range way 
above your workgroup range.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list