[Samba] clarification regarding RFC2307 winbind backend, please

Rowland Penny rowlandpenny at googlemail.com
Sat Jan 17 01:27:39 MST 2015 

On 17/01/15 04:18, BISI wrote:
> Can someone please clarify the scope of the remarks in this wiki page:
> https://wiki.samba.org/index.php/RFC2307_backend
>
> specifically, can you confirm that the following applies only to a 
> Member Server, (not the DC)?
>
> https://wiki.samba.org/index.php/RFC2307_backend#Configuring_RFC2307_backend_for_Winbind 
>

Yes, you should only use this set up on a member server

>
>>  Configuring RFC2307 backend for Winbind
>>
>> Add the following to the [global] section of your smb.conf:
>>
>>   # Important: The ranges of the default (*) backend
>>   # and the domain(s) must not overlap!
>>
>>   # Retrieve UIDs/GIDs for domain SAMDOM from AD, via RFC2307.
>>   # The range value defines the lowest RID up to the highest,
>>   # that will ever be used in this domain. Ask your AD Domain
>>   # Administrator, if you don't know which range to define.
>>   idmap config SAMDOM:backend = ad
>>   idmap config SAMDOM:schema_mode = rfc2307
>>   idmap config SAMDOM:range = 10001-40000
>>
>>   # Store UIDs/GIDs for all other domains (including local
>>   # accounts/groups of this server) in a tdb file
>>   idmap config *:backend = tdb
>>   idmap config *:range = 50001-60000
>>
>>   # Use home directory and shell information from AD
>>   winbind nss info = rfc2307
>
> Also does anyone have any idea why 10001 was chosen as the start of 
> the range?  Since the default starting ID on the DC (both a Microsoft 
> server and Samba DC) is 10000, this seems incongruous.
>

No idea, but I have changed it to 10000

>
> As a related issue (depending on the answer to the above), if anyone 
> has wiki-editing privileges, and knows the RFC2307 "ropes", perhaps 
> you could fix the AD_member_server page which shows what seems to me 
> to be a poor choice of ranges for the basic smb.conf file.
>
>    https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>  Set up a basic smb.conf
>>
>> Usually this file is located in /usr/local/samba/etc/.
> > Depending on your 'configure' parameters, or if you are using a
> > distro/Sernet package, it could be in a different location:
>>
>> [global]
>>
>>    netbios name = Member1
>>    workgroup = SAMDOM
>>    security = ADS
>>    realm = SAMDOM.EXAMPLE.COM
>>    dedicated keytab file = /etc/krb5.keytab
>>    kerberos method = secrets and keytab
>>
>>    idmap config *:backend = tdb
>>    idmap config *:range = 70001-80000
>>    idmap config SAMDOM:backend = ad
>>    idmap config SAMDOM:schema_mode = rfc2307
>>    idmap config SAMDOM:range = 500-40000
>>
>>    winbind nss info = rfc2307
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users  = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = Yes
>
> Cheers!
> d.
>

What ranges would you suggest ?

Rowland

More information about the samba mailing list