[Samba] Samba AD PDC , LDAP and Single-Sign-On

Mark Foley mfoley at ohprs.org
Sat Oct 10 07:26:38 UTC 2015 

On Sat, 10 Oct 2015 16:07 Andrew Bartlett wrote

> For the pain that you are about to endure, I can only offer my apologies.

Apologies accepted! :) Seriously though, the Samba team has done a great job
with the AD stuff.  I was pretty much able to drop Samba4 in as a replacement
for our SBS 2008 with virtually no issues.  What issues I had were mostly
Microsoft idiosyncracies (refer to my GPO rant to Rowland).  I used the
Slackware as-shipped Samba4, provisioned (with BIND9_FLATFILE), added users
with RSAT ADUC and Win7 domain users were none the wiser, everything just
worked: redirected folders, RDC, SLQ Server "Windows Authentication", etc.  Good
job!

My quest to replace Micrsoft continues ...

For my immediate need, I'd like someone to give me the proverial "fish" and I'll
"learn to fish" later. Given that my AD domain users are group 100, and the AD
users UID range is 3000000-3000099, what should my idmap config settings look
like in the wiki-adapted 'member server' smb.conf shown below? Just tell me the
right answer, I'll figure out why later.

[global]
  netbios name = uCommon
  workgroup = HPRS
  security = ADS
  realm = HPRS.LOCAL
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  idmap config *:backend = tdb
  idmap config *:range = ???-???
  idmap config HPRS:backend = ad
  idmap config HPRS:schema_mode = rfc2307
  idmap config HPRS:range = ???-???

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

[demoshare]
  path = /srv/samba/test
  read only = no


Thanks, --Mark

-----Original Message-----
> From: Andrew Bartlett <abartlet at samba.org>
> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
> Date: Sat, 10 Oct 2015 16:07:22 +1300
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>
> On Fri, 2015-10-09 at 21:08 -0400, Mark Foley wrote:
> > Thanks again for your quick reply ...
>
> > Frankly, even after reading the 
> > https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html wiki, I
> > don't
> > really get the differentiation between 'idmap config *' and 'idmap
> > config DOMAIN'
> > 
> > Do I have to have something similar on the AD/DC? Right now, there
> > are no idmap
> > statements in that smb.conf.
> > 
> > Thanks for your time (and patience), --Mark
>
> For the pain that you are about to endure, I can only offer my
> apologies.  As Rowland and others on the list will quickly point out,
> this is an area that is far from satisfactory.  All the solutions are a
> compromise of one kind or another, from the nature of compressing a 128
> -bit (or more) SID value into a 32 bit UID or GID value.  
>
> Almost every new Samba team member starts with a desire to finally
> implement the 'perfect' solution here, but the result of that desire
> colliding with reality has ended up with a despairing 'let the admin
> specify what they want'.  
>
> One way of doing that is to manually fill in the uidNumber and
> gidNumber values, and then tell the client and server to use that.
> Samba has trouble doing that in a race-free way, and so far declines to
> be as helpful it could be. 
>
> Sorry,
>
> Andrew Bartlett
>
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list