[Samba] clarification regarding RFC2307 winbind backend, please

BISI d3r3kshaw at gmail.com
Fri Jan 16 21:18:35 MST 2015 

Can someone please clarify the scope of the remarks in this wiki page:
https://wiki.samba.org/index.php/RFC2307_backend

specifically, can you confirm that the following applies only to a 
Member Server, (not the DC)?

https://wiki.samba.org/index.php/RFC2307_backend#Configuring_RFC2307_backend_for_Winbind

>  Configuring RFC2307 backend for Winbind
>
> Add the following to the [global] section of your smb.conf:
>
>   # Important: The ranges of the default (*) backend
>   # and the domain(s) must not overlap!
>
>   # Retrieve UIDs/GIDs for domain SAMDOM from AD, via RFC2307.
>   # The range value defines the lowest RID up to the highest,
>   # that will ever be used in this domain. Ask your AD Domain
>   # Administrator, if you don't know which range to define.
>   idmap config SAMDOM:backend = ad
>   idmap config SAMDOM:schema_mode = rfc2307
>   idmap config SAMDOM:range = 10001-40000
>
>   # Store UIDs/GIDs for all other domains (including local
>   # accounts/groups of this server) in a tdb file
>   idmap config *:backend = tdb
>   idmap config *:range = 50001-60000
>
>   # Use home directory and shell information from AD
>   winbind nss info = rfc2307

Also does anyone have any idea why 10001 was chosen as the start of the 
range?  Since the default starting ID on the DC (both a Microsoft server 
and Samba DC) is 10000, this seems incongruous.


As a related issue (depending on the answer to the above), if anyone has 
wiki-editing privileges, and knows the RFC2307 "ropes", perhaps you 
could fix the AD_member_server page which shows what seems to me to be a 
poor choice of ranges for the basic smb.conf file.

    https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>  Set up a basic smb.conf
>
> Usually this file is located in /usr/local/samba/etc/.
 > Depending on your 'configure' parameters, or if you are using a
 > distro/Sernet package, it could be in a different location:
>
> [global]
>
>    netbios name = Member1
>    workgroup = SAMDOM
>    security = ADS
>    realm = SAMDOM.EXAMPLE.COM
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config SAMDOM:backend = ad
>    idmap config SAMDOM:schema_mode = rfc2307
>    idmap config SAMDOM:range = 500-40000
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes

Cheers!
d.

More information about the samba mailing list