[Samba] rfc2307 deprecated in Windows 2012 R2?

Hans-Kristian Bakke hkbakke at gmail.com
Fri Jan 30 10:29:33 MST 2015 

On one of your DCs? As in you run Samba for your DCs?

This thread was using Server 2012 R2 as DCs, and that was what my
response was aimed at. I am also using Server 2012 R2 for DCs. In this
case the Administrator is "just a user" seen from the linux boxes.
That Administrator is assigned a root-role in a Samba DC is not a
surprise for me as it then becomes more than external windows user,
but rather has to somewhat resemble the "full access" special internal
role an Administrator has on Windows Domain.

With this misunderstanding out of the way I can see your arguments. I
find it rather confusing that you use arguments for the Samba DC in a
thread for a Server 2012 R2 use case but that might just be me.

--
Regards,
Hans-Kristian

On 30 January 2015 at 18:12, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 30/01/15 16:55, Hans-Kristian Bakke wrote:
>>
>> I still do not follow you. An additional reason for including
>> administrator in the first place, not including that I actually want
>> it to work against the linux boxes like every other domain user, was
>> because winbind returns the exact same mapping when using idmap
>> backend RID with range 300000-499999 (i.e not rfc2307 attributes)
>>
>>> wbinfo -i administrator
>>
>>
>> administrator:*:300500:300513:Administrator:/home/example.com/administrator:/bin/bash
>
>
> On one of my DC's:
>
> wbinfo -i administrator
> EXAMPLE\Administrator:*:0:10000::/home/EXAMPLE/Administrator:/bin/bash
>
> and from idmap.ldb (created by the provision):
>
> dn: CN=S-1-5-21-2025076216-3455336656-3842161122-500
> cn: S-1-5-21-2025076216-3455336656-3842161122-500
> objectClass: sidMap
> objectSid: S-1-5-21-2025076216-3455336656-3842161122-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-500
>
> Oh look it is mapped to '0' i.e. 'root'
>
>>
>> So the winbind devs obviously also thinks that Administrator should be
>> mapped like every other domain user.
>
>
> Do you want to retract that last statement ?
>
>> The nice thing about this is that RFC2307 enabled winbind hosts,
>> sssd-ad hosts and winbind hosts still using RID can all coexist
>> peacefully and with the same UID/GID mapping (a need I had, thus
>> creating the need for the migration script).
>>
>> But as I can see this is strictly a personal thing for you, it is of
>> course okay to not give administrator a UID. You can just exclude the
>> user in the script, so the functionality can still be used as a base,
>> or you can throw it in the garbage if you want to :) I was worried
>> that there were any technical consequences that I somewhat had missed
>> for years.
>>
>> Regards,
>> Hans-Kristian
>
>
> Yes, you seem to be missing the fact that 'Administrator' is a special
> windows user and shouldn't be turned into a normal Unix user.
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list