[Samba] clarification regarding RFC2307 winbind backend, please
Rowland Penny
rowlandpenny at googlemail.com
Sat Jan 17 01:27:39 MST 2015
On 17/01/15 04:18, BISI wrote:
> Can someone please clarify the scope of the remarks in this wiki page:
> https://wiki.samba.org/index.php/RFC2307_backend
>
> specifically, can you confirm that the following applies only to a
> Member Server, (not the DC)?
>
> https://wiki.samba.org/index.php/RFC2307_backend#Configuring_RFC2307_backend_for_Winbind
>
Yes, you should only use this set up on a member server
>
>> Configuring RFC2307 backend for Winbind
>>
>> Add the following to the [global] section of your smb.conf:
>>
>> # Important: The ranges of the default (*) backend
>> # and the domain(s) must not overlap!
>>
>> # Retrieve UIDs/GIDs for domain SAMDOM from AD, via RFC2307.
>> # The range value defines the lowest RID up to the highest,
>> # that will ever be used in this domain. Ask your AD Domain
>> # Administrator, if you don't know which range to define.
>> idmap config SAMDOM:backend = ad
>> idmap config SAMDOM:schema_mode = rfc2307
>> idmap config SAMDOM:range = 10001-40000
>>
>> # Store UIDs/GIDs for all other domains (including local
>> # accounts/groups of this server) in a tdb file
>> idmap config *:backend = tdb
>> idmap config *:range = 50001-60000
>>
>> # Use home directory and shell information from AD
>> winbind nss info = rfc2307
>
> Also does anyone have any idea why 10001 was chosen as the start of
> the range? Since the default starting ID on the DC (both a Microsoft
> server and Samba DC) is 10000, this seems incongruous.
>
No idea, but I have changed it to 10000
>
> As a related issue (depending on the answer to the above), if anyone
> has wiki-editing privileges, and knows the RFC2307 "ropes", perhaps
> you could fix the AD_member_server page which shows what seems to me
> to be a poor choice of ranges for the basic smb.conf file.
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>> Set up a basic smb.conf
>>
>> Usually this file is located in /usr/local/samba/etc/.
> > Depending on your 'configure' parameters, or if you are using a
> > distro/Sernet package, it could be in a different location:
>>
>> [global]
>>
>> netbios name = Member1
>> workgroup = SAMDOM
>> security = ADS
>> realm = SAMDOM.EXAMPLE.COM
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 70001-80000
>> idmap config SAMDOM:backend = ad
>> idmap config SAMDOM:schema_mode = rfc2307
>> idmap config SAMDOM:range = 500-40000
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = Yes
>
> Cheers!
> d.
>
What ranges would you suggest ?
Rowland
More information about the samba
mailing list