[Samba] rfc2307 deprecated in Windows 2012 R2?

Rowland Penny rowlandpenny at googlemail.com
Fri Jan 30 03:01:45 MST 2015 

On 29/01/15 22:56, Hans-Kristian Bakke wrote:
> Something went wrong and the message got sent before it was finished.
> Here is the complete one:
>
> Ok, it's here: http://pastebin.com/JEnr5wUq
>
> The id_offset is that value because i initially didn't use rfc2307
> attributes, but instead had
>
> idmap config EXAMPLE : range = 300000-499999
>
> in smb.conf.
>
> To get identical uid/gids have to start with the same offset. If you
> have a fresh domain and just starting with AD-integration on your
> linux-boxes you can just pull out the logic for generating winbind
> compatible uids/gids.
>
> -
> Regards,
>
> Hans-Kristian
>
>
> On 29 January 2015 at 23:53, Hans-Kristian Bakke <hkbakke at gmail.com> wrote:
>> Ok, it's here: http://pastebin.com/JEnr5wUq
>>
>> The id_offset is that value because i initially didn't use rfc2307
>> attributes, but instead
>>
>>
>> On 29 January 2015 at 23:27, Tim <lists at kiuni.de> wrote:
>>> @Hans-Kristian:
>>> I'd like to see it. How did you automate this?
>>>
>>> @Andrew:
>>> In another thread I suggested to set the rfc2307 info automatically when a
>>> domain is provisioned with --use-rfc2307. Possibly by an additional
>>> parameter.
>>> This would make things easier in my eyes.
>>>
>>> Thanks
>>> Tim
>>>
>>> Am 29. Januar 2015 22:02:14 MEZ, schrieb Hans-Kristian Bakke
>>> <hkbakke at gmail.com>:
>>>> It is actually rather easy to set the attributes via powershell, and
>>>> that is probably the best way to add them in a Server 2012 R2
>>>> environment.
>>>>
>>>> I wrote a powershell script to do this automatically for users and
>>>> groups in an entire domain that should be pretty generic to be reused.
>>>> It also mirrors the logic used in automatic winbind UID/GID generation
>>>> to be able to coexist in an environment where not all hosts are
>>>> migrated to rfc2307 yet. If you want it I can give it to you, but as
>>>> you proably would want to write your own powershell-script you would
>>>> set properties for users and groups using these two cmdlets and some
>>>> foreach-logic looping over your search bases, users and groups:
>>>>
>>>> Set-ADUser -Identity $username -Replace
>>>>
>>>> @{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell}
>>>>
>>>> Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid}
>>>>
>>>> On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de> wrote:
>>>>>   Am 29.01.2015 um 21:12 schrieb Tim:
>>>>>>
>>>>>>   But if they take it away how to set them in future?
>>>>>
>>>>>
>>>>>   If you need NIS, you probably have POSIX systems attached. So you can
>>>>> always
>>>>>   set RFC2307 attributes from POSIX systems.
>>>>>
>>>>>
>>>>>>   Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett
>>>>>>   <abartlet at samba.org>:
>>>>>>>
>>>>>>>   On Wed, 2015-01-28 at 17:22 +0100, Tim wrote:
>>>>>>>>
>>>>>>>>   I got the chance to test samba 4 with windows 2012 R2 domain
>>>>>>>>   controller on its highest functional level.
>>>>>>>>
>>>>>>>>   Possibly it's important to know that M$ says that the "server for NIS
>>>>>>>>   Tools" which are needed to set rfc attributes are deprecated.
>>>>>>>>   I could install them but I can't choose a NIS domain anymore in Unix
>>>>>>>>   attributes.
>>>>>>>>
>>>>>>>>   Will we run into problems with samba4? Is it time for thinking about
>>>>>>>
>>>>>>>   a
>>>>>>>>
>>>>>>>>   new idmapping backend? I have an idea for this (based on rid module)
>>>>>>>>   but I like to know your thoughts.
>>>>>>>
>>>>>>>
>>>>>>>   Even if they take away the admin tools, the schema changes won't go
>>>>>>>   away, so don't worry.
>>>>>>>
>>>>>>>   --
>>>>>>>   Andrew Bartlett
>>>>>>>    http://samba.org/~abartlet/
>>>>>>>   Authentication Developer, Samba Team  http://samba.org
>>>>>>>   Samba Developer, Catalyst IT
>>>>>>>   http://catalyst.net.nz/services/samba
>>>>>
>>>>>
>>>>>   --
>>>>>   To unsubscribe from this list go to the following URL and read the
>>>>>   instructions:  https://lists.samba.org/mailman/options/samba
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba

OK, had a quick look through your script and I cannot recommend it, it 
would seem to give Administrator (and everybody else) a 'uidNumber', 
Administrator's 'uidNumber' would be 300500, not a good idea.

Rowland

More information about the samba mailing list