[Samba] rfc2307 deprecated in Windows 2012 R2?

Fri Jan 30 10:45:00 MST 2015

I did get something from this though. It is interesting to know that
Administrator get assigned a generated UID/GID by winbind when used as
member servers in a Windows DC environment, but is mapped to root when
Samba runs the DC-part.

Nice to know at least.

On 30 January 2015 at 18:33, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 30/01/15 17:29, Hans-Kristian Bakke wrote:
>>
>> On one of your DCs? As in you run Samba for your DCs?
>>
>> This thread was using Server 2012 R2 as DCs, and that was what my
>> response was aimed at. I am also using Server 2012 R2 for DCs. In this
>> case the Administrator is "just a user" seen from the linux boxes.
>> That Administrator is assigned a root-role in a Samba DC is not a
>> surprise for me as it then becomes more than external windows user,
>> but rather has to somewhat resemble the "full access" special internal
>> role an Administrator has on Windows Domain.
>>
>> With this misunderstanding out of the way I can see your arguments. I
>> find it rather confusing that you use arguments for the Samba DC in a
>> thread for a Server 2012 R2 use case but that might just be me.
>>
>> --
>> Regards,
>> Hans-Kristian
>>
>> On 30 January 2015 at 18:12, Rowland Penny <rowlandpenny at googlemail.com>
>> wrote:
>>>
>>> On 30/01/15 16:55, Hans-Kristian Bakke wrote:
>>>>
>>>> I still do not follow you. An additional reason for including
>>>> administrator in the first place, not including that I actually want
>>>> it to work against the linux boxes like every other domain user, was
>>>> because winbind returns the exact same mapping when using idmap
>>>> backend RID with range 300000-499999 (i.e not rfc2307 attributes)
>>>>
>>>>> wbinfo -i administrator
>>>>
>>>>
>>>>
>>>> administrator:*:300500:300513:Administrator:/home/example.com/administrator:/bin/bash
>>>
>>>
>>> On one of my DC's:
>>>
>>> wbinfo -i administrator
>>> EXAMPLE\Administrator:*:0:10000::/home/EXAMPLE/Administrator:/bin/bash
>>>
>>> and from idmap.ldb (created by the provision):
>>>
>>> dn: CN=S-1-5-21-2025076216-3455336656-3842161122-500
>>> cn: S-1-5-21-2025076216-3455336656-3842161122-500
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-2025076216-3455336656-3842161122-500
>>> type: ID_TYPE_UID
>>> xidNumber: 0
>>> distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-500
>>>
>>> Oh look it is mapped to '0' i.e. 'root'
>>>
>>>> So the winbind devs obviously also thinks that Administrator should be
>>>> mapped like every other domain user.
>>>
>>>
>>> Do you want to retract that last statement ?
>>>
>>>> The nice thing about this is that RFC2307 enabled winbind hosts,
>>>> sssd-ad hosts and winbind hosts still using RID can all coexist
>>>> peacefully and with the same UID/GID mapping (a need I had, thus
>>>> creating the need for the migration script).
>>>>
>>>> But as I can see this is strictly a personal thing for you, it is of
>>>> course okay to not give administrator a UID. You can just exclude the
>>>> user in the script, so the functionality can still be used as a base,
>>>> or you can throw it in the garbage if you want to :) I was worried
>>>> that there were any technical consequences that I somewhat had missed
>>>> for years.
>>>>
>>>> Regards,
>>>> Hans-Kristian
>>>
>>>
>>> Yes, you seem to be missing the fact that 'Administrator' is a special
>>> windows user and shouldn't be turned into a normal Unix user.
>>>
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> The thread sort of degenerated away from the original topic and as such I
> can understand why we disagree, but only up to a point.
>
> I think we should stop here before it starts getting silly :-)
>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba