[Samba] rfc2307 deprecated in Windows 2012 R2?
Davor Vusir
davortvusir at gmail.com
Sat Jan 31 11:43:54 MST 2015
Hans-Kristian Bakke skrev den 2015-01-30 17:20:
> I do not understand the point about issues with administrator beeing
> mapped to a "random" rfc2307 UID. You need to explain the details
> surrounding that part to me as my experience is that this is OK and
> even necessary.
>
> The only reason for not giving Administrator a "random" UID/GID that I
> can think of is perhaps if you are doing some mapping of Administrator
> to root, something which I am personally strongly against as they are
> _not_ the same users from any central authentication point of view. It
> is just a hack for people that are doing the mistake of actually using
> the administrator account for linux administration, when it shouldn't
> really be used for anything at all, even on windows boxes, as you of
> should be adding dedicated admin accounts for each admin.
Here is how I tried to explain why not to use 'smbmapping' of
Administrator to root:
http://www.spinics.net/lists/samba/msg120633.html. It's just wrong to do
that.
> The script only gives users and groups that are non-local (i.e domain
> users that would actually be used for logins with non-zero SIDs)
> uid/gids. Administrator is one of them and giving it an UID of
> 300500/whatever is absolutely correct and necessary if administrator
> is going to be able to login to the linux boxes like everybody else.
> From a linux box's view in a Windows DC domain administrator is no
> different from other users. Add your admin group to sudoers and ssh
> allowgroups and you are done. This works beatifully in several well
> tested and abused production systems, also with ACLs with
> administrator added.
Well put!
Regards
Davor
> --
> Hans-Kristian
>
> On 30 January 2015 at 11:01, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 29/01/15 22:56, Hans-Kristian Bakke wrote:
>>> Something went wrong and the message got sent before it was finished.
>>> Here is the complete one:
>>>
>>> Ok, it's here: http://pastebin.com/JEnr5wUq
>>>
>>> The id_offset is that value because i initially didn't use rfc2307
>>> attributes, but instead had
>>>
>>> idmap config EXAMPLE : range = 300000-499999
>>>
>>> in smb.conf.
>>>
>>> To get identical uid/gids have to start with the same offset. If you
>>> have a fresh domain and just starting with AD-integration on your
>>> linux-boxes you can just pull out the logic for generating winbind
>>> compatible uids/gids.
>>>
>>> -
>>> Regards,
>>>
>>> Hans-Kristian
>>>
>>>
>>> On 29 January 2015 at 23:53, Hans-Kristian Bakke <hkbakke at gmail.com>
>>> wrote:
>>>> Ok, it's here: http://pastebin.com/JEnr5wUq
>>>>
>>>> The id_offset is that value because i initially didn't use rfc2307
>>>> attributes, but instead
>>>>
>>>>
>>>> On 29 January 2015 at 23:27, Tim <lists at kiuni.de> wrote:
>>>>> @Hans-Kristian:
>>>>> I'd like to see it. How did you automate this?
>>>>>
>>>>> @Andrew:
>>>>> In another thread I suggested to set the rfc2307 info automatically when
>>>>> a
>>>>> domain is provisioned with --use-rfc2307. Possibly by an additional
>>>>> parameter.
>>>>> This would make things easier in my eyes.
>>>>>
>>>>> Thanks
>>>>> Tim
>>>>>
>>>>> Am 29. Januar 2015 22:02:14 MEZ, schrieb Hans-Kristian Bakke
>>>>> <hkbakke at gmail.com>:
>>>>>> It is actually rather easy to set the attributes via powershell, and
>>>>>> that is probably the best way to add them in a Server 2012 R2
>>>>>> environment.
>>>>>>
>>>>>> I wrote a powershell script to do this automatically for users and
>>>>>> groups in an entire domain that should be pretty generic to be reused.
>>>>>> It also mirrors the logic used in automatic winbind UID/GID generation
>>>>>> to be able to coexist in an environment where not all hosts are
>>>>>> migrated to rfc2307 yet. If you want it I can give it to you, but as
>>>>>> you proably would want to write your own powershell-script you would
>>>>>> set properties for users and groups using these two cmdlets and some
>>>>>> foreach-logic looping over your search bases, users and groups:
>>>>>>
>>>>>> Set-ADUser -Identity $username -Replace
>>>>>>
>>>>>>
>>>>>> @{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell}
>>>>>>
>>>>>> Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid}
>>>>>>
>>>>>> On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de> wrote:
>>>>>>> Am 29.01.2015 um 21:12 schrieb Tim:
>>>>>>>>
>>>>>>>> But if they take it away how to set them in future?
>>>>>>>
>>>>>>>
>>>>>>> If you need NIS, you probably have POSIX systems attached. So you
>>>>>>> can
>>>>>>> always
>>>>>>> set RFC2307 attributes from POSIX systems.
>>>>>>>
>>>>>>>
>>>>>>>> Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett
>>>>>>>> <abartlet at samba.org>:
>>>>>>>>>
>>>>>>>>> On Wed, 2015-01-28 at 17:22 +0100, Tim wrote:
>>>>>>>>>>
>>>>>>>>>> I got the chance to test samba 4 with windows 2012 R2 domain
>>>>>>>>>> controller on its highest functional level.
>>>>>>>>>>
>>>>>>>>>> Possibly it's important to know that M$ says that the "server for
>>>>>>>>>> NIS
>>>>>>>>>> Tools" which are needed to set rfc attributes are deprecated.
>>>>>>>>>> I could install them but I can't choose a NIS domain anymore in
>>>>>>>>>> Unix
>>>>>>>>>> attributes.
>>>>>>>>>>
>>>>>>>>>> Will we run into problems with samba4? Is it time for thinking
>>>>>>>>>> about
>>>>>>>>>
>>>>>>>>> a
>>>>>>>>>>
>>>>>>>>>> new idmapping backend? I have an idea for this (based on rid
>>>>>>>>>> module)
>>>>>>>>>> but I like to know your thoughts.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Even if they take away the admin tools, the schema changes won't
>>>>>>>>> go
>>>>>>>>> away, so don't worry.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Andrew Bartlett
>>>>>>>>> http://samba.org/~abartlet/
>>>>>>>>> Authentication Developer, Samba Team http://samba.org
>>>>>>>>> Samba Developer, Catalyst IT
>>>>>>>>> http://catalyst.net.nz/services/samba
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>> OK, had a quick look through your script and I cannot recommend it, it would
>> seem to give Administrator (and everybody else) a 'uidNumber',
>> Administrator's 'uidNumber' would be 300500, not a good idea.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list