[Samba] clarification regarding RFC2307 winbind backend, please
BISI
d3r3kshaw at gmail.com
Fri Jan 16 21:18:35 MST 2015
Can someone please clarify the scope of the remarks in this wiki page:
https://wiki.samba.org/index.php/RFC2307_backend
specifically, can you confirm that the following applies only to a
Member Server, (not the DC)?
https://wiki.samba.org/index.php/RFC2307_backend#Configuring_RFC2307_backend_for_Winbind
> Configuring RFC2307 backend for Winbind
>
> Add the following to the [global] section of your smb.conf:
>
> # Important: The ranges of the default (*) backend
> # and the domain(s) must not overlap!
>
> # Retrieve UIDs/GIDs for domain SAMDOM from AD, via RFC2307.
> # The range value defines the lowest RID up to the highest,
> # that will ever be used in this domain. Ask your AD Domain
> # Administrator, if you don't know which range to define.
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10001-40000
>
> # Store UIDs/GIDs for all other domains (including local
> # accounts/groups of this server) in a tdb file
> idmap config *:backend = tdb
> idmap config *:range = 50001-60000
>
> # Use home directory and shell information from AD
> winbind nss info = rfc2307
Also does anyone have any idea why 10001 was chosen as the start of the
range? Since the default starting ID on the DC (both a Microsoft server
and Samba DC) is 10000, this seems incongruous.
As a related issue (depending on the answer to the above), if anyone has
wiki-editing privileges, and knows the RFC2307 "ropes", perhaps you
could fix the AD_member_server page which shows what seems to me to be a
poor choice of ranges for the basic smb.conf file.
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> Set up a basic smb.conf
>
> Usually this file is located in /usr/local/samba/etc/.
> Depending on your 'configure' parameters, or if you are using a
> distro/Sernet package, it could be in a different location:
>
> [global]
>
> netbios name = Member1
> workgroup = SAMDOM
> security = ADS
> realm = SAMDOM.EXAMPLE.COM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 500-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
Cheers!
d.
More information about the samba
mailing list