[Samba] Question about samba 4 member server of a pure Windows AD

Stéphane PURNELLE stephane.purnelle at corman.be
Mon Aug 3 08:12:41 UTC 2015 

Hi,

That's the answer that I wanted to read.

Thank you

        Stéphane Purnelle

"samba" <samba-bounces at lists.samba.org> a écrit sur 03/08/2015 10:01:39 :

> De : Rowland Penny <rowlandpenny241155 at gmail.com>
> A : samba at lists.samba.org, 
> Date : 03/08/2015 10:10
> Objet : Re: [Samba] Question about samba 4 member server of a pure 
Windows AD
> Envoyé par : "samba" <samba-bounces at lists.samba.org>
> 
> On 03/08/15 08:43, Stéphane PURNELLE wrote:
> > Hi,
> >
> > A account created with samba3/ldap (created before 2014-02-20):
> >
> > SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3216
> > UidNumber : 1108
> >
> > A account created with Users and computers (samba 4 AD DC)
> >
> > SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-5878
> > uidNumber : 10023
> >
> >
> > My actual config (in file-server) :
> > idmap config XXXXXX:backend = ad
> > idmap config XXXXXX:schema_mode = rfc2307
> > idmap config XXXXXX:range = 1005-40000
> >
> > If I apply RID backend :
> >
> > ID = RID - BASE_RID + LOW_RANGE_ID.
> >
> > For the first account :
> > 3216 - 0 + 1005 = 4221 => bad must be 1108
> >
> > For the latest created account :
> > 5878 - 0 + 1005 = 6883 => bad must be 10023
> >
> > if generated uidNumber not the same that actual uidNumber, I will lose 
my
> > ACL.
> >
> > regards
> >
> >          Stéphane Purnelle
> >
> >
> >
> >
> > De :    Rowland Penny <rowlandpenny241155 at gmail.com>
> > A :     samba at lists.samba.org,
> > Date :  02/08/2015 20:27
> > Objet : Re: [Samba] Question about samba 4 member server of a pure 
Windows
> > AD
> > Envoyé par :    "samba" <samba-bounces at lists.samba.org>
> >
> >
> >
> > On 02/08/15 17:31, Stéphane PURNELLE wrote:
> >> Hi,
> >>
> >> I don't think that rid backend will work, because when we start samba
> >> (samab 2.2.8a) lower uid was 1000, but when we moved to samba 4, 
power
> > uid
> >> was put to 10000.
> >> That's mean new user and group use uidNUmber or groupNUmber > 10000. 
But
> >> we have old account and group with uid or gid < 10000
> >>
> >>
> >> regards
> >>
> >>           Stéphane Purnelle
> >>
> >>
> >> "samba" <samba-bounces at lists.samba.org> a écrit sur 31/07/2015 
22:42:23
> > :
> >>> De : Rowland Penny <rowlandpenny241155 at gmail.com>
> >>> A : samba at lists.samba.org,
> >>> Date : 31/07/2015 22:51
> >>> Objet : Re: [Samba] Question about samba 4 member server of a pure
> >> Windows AD
> >>> Envoyé par : "samba" <samba-bounces at lists.samba.org>
> >>>
> >>> On 31/07/15 20:43, Stéphane PURNELLE wrote:
> >>>> Hi,
> >>>>
> >>>> Actually, we have a samba 4 AD DC and 2 samba 4 AD member server as
> >>>> file-server.
> >>>> But my company is member of a group who have i proper AD (A windows 
AD
> >>>> server)
> >>>>
> >>>> I don't know if the windows AD has implemented rfc2307 and if the
> >> sysadmin
> >>>> of the windows AD can add rfc2307.
> >>>>
> >>>> I just would like to know if there are alternative for have uid <> 
sid
> >>>> mapping without rfc2307.
> >>>> LIke extract uid from windows SID (based on algorithm uid = uid*2 +
> >> 1000
> >>>> or something like this)
> >>>>
> >>>> thank you for your help
> >>>>
> >>>>            Stéphane Purnelle
> >>> Yes, it is called the 'rid' backend, see 'man idmap_rid'
> >>>
> >>> Rowland
> >>>
> >>>
> >>> -- 
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> > If you use the rid backend, any uidNumbers & gidNumbers in AD are
> > ignored, the users UID will be calculated from this: ID = RID - 
BASE_RID
> > + LOW_RANGE_ID
> >
> > So if you have two users with the RIDs of 9999 & 10001, their UIDs 
would
> > be this (note BASE_RID is 0 unless set in smb.conf), LOW_RANGE_ID 
would
> > be set to 3000
> >
> > UID = 9999 - 0 + 3000
> > Which would become: UID = 12999
> >
> > UID = 10001 - 0 + 3000
> > Which would become: UID = 13001
> >
> > These are just a couple of examples, from which I hope you can see,
> > provide you set the LOW_RANGE_ID lower than your lowest RID, it should
> > work, of course you will probably have to set the builtin range way
> > above your workgroup range.
> >
> > Rowland
> >
> >
> 
> OK, in your first post there is this:
> 
> [quote]
> I don't know if the windows AD has implemented rfc2307 and if the 
sysadmin
> of the windows AD can add rfc2307.
> 
> I just would like to know if there are alternative for have uid <> sid
> mapping without rfc2307.
> [/quote]
> 
> Now you are saying, 'I must use the ad backend, even if it might not 
> have been set up in AD'.
> 
> Sorry but you cannot have it both ways, you either make your AD admins 
> install IDMU and give your users & groups uidNumbers & gidNumbers, or 
> you use the rid backend and set up the ACLs accordingly.
> 
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list