[Samba] Samba AD: gidNumber?
Viktor Trojanovic
viktor at troja.ch
Tue Oct 27 09:34:11 UTC 2015
On 27.10.2015 09:05, Rowland Penny wrote:
> On 26/10/15 22:35, Viktor Trojanovic wrote:
>>
>>
>> On 26.10.2015 23:03, Rowland Penny wrote:
>>> On 26/10/15 21:38, Viktor Trojanovic wrote:
>>>> I joined a Samba AD member server (file server) to a Samba AD DC.
>>>> This seems to have worked. However, if I try to access the file
>>>> server from the domain administrator account on a Windows client, I
>>>> am asked to provide authorization details. Since I have no other
>>>> privileged users, I am using the domain admin credentials but
>>>> they're not accepted.
>>>>
>>>> I'm not sure exactly where to look but I think the problem could be
>>>> connected to the following: On my member server, the getent command
>>>> does not yield any results. As per the recommendations on the
>>>> "Samba Member Server Troubleshooting" page, I checked on the DC if
>>>> the group Domain Users has a gidNumber. Well, it doesn't. Neither
>>>> do my users have uidNumbers though this, allegedly, is not such an
>>>> issue.
>>>
>>> Yes it is, there is no point in adding a gidNumber to Domain Users
>>> if you are not going to give your Users a uidNumber.
>>>
>>> As far as how to add uidNumbers and gidNumbers, well firstly, do you
>>> need to? if your users are never going to actually log into the
>>> member server and this is your only Unix machine, you could use the
>>> winbind 'rid' backend, this will create the ID numbers on the fly.
>>> If you have more than one member server, or Unix clients or want
>>> your users to log into the member server, you will probably be
>>> better off using the winbind 'ad' backend. To do this you will need
>>> to give your users a unique uidNumber and Domain Users (at least) a
>>> gidNumber. You can do this by using the ADUC UNIX Attributes tab, by
>>> writing your own script using an ldif, or by using something like
>>> the LDAP Account Manager (LAM).
>>>
>>> Rowland
>> Thanks again for helping, Rowland.
>>
>> As I mentioned before, both the DC and the member server are Unix
>> running Samba 4.3. The purpose of the member server is to act as file
>> server, nothing more.
>>
>> The clients are all windows machines and users, they will never log
>> in to one of the unix systems directly. If they are able to access
>> shares on the file server without having to log in, then I guess this
>> 'rid' backend seems to be what I need. Correct? Can you give me some
>> pointers on how to do that, or direct me to the documentation?
>>
>> Though one has to wonder: There is a wiki how to implement a Samba
>> AD, and how to add a Samba Member Server. I followed the instructions
>> step by step, for both, and now it turns out that the instructions
>> for the member server are not made to fit the configuration of the
>> DC? That's a bit discouraging.
>>
>> Viktor
>
> The main problem is that idmap.ldb on the DC will allocate an
> xidNumber to a user in the '3000000' range, this xidNumber is used for
> the users uidNumber. If you use the DC as a fileserver and a user
> stores something on the DC and you were to examine the permissions,
> you will find that it doesn't belong to a user but a number. This gets
> worse, if you have two DCs, you can and probably will get different
> numbers on each DC. Now this is not a problem until you do something
> like copy the file from one DC to the other, the file could then
> belong to another user, this can also happen with a member server.
>
> If you use a member server and do not want your users to log into it,
> you can use the winbind 'rid' backend, this will allocate UID numbers
> to your users using an algorithm based on the users RID, this also has
> the affect of creating the same UID on every member server.
>
> If you need to use the DC as a fileserver, then I would advise the use
> of the winbind 'ad' backend. Using this, your users will get the same
> UID everywhere, as the users UID is stored in AD using the uidNumber
> attribute.
>
> To add uidNumber & gidNumber attributes to AD is fairly simple, you
> can do it using ADUC, or by writing your own script around an ldif.
>
> To use the winbind 'rid' backend, see here:
> https://wiki.samba.org/index.php/Idmap_config_rid
>
> Rowland
>
>
Thanks a lot for this very valuable information, this all became a lot
clearer now.
I am currently just doing a lab setup with a very small AD (5 users, 1
OU, just the standard groups), so I want to try both variations,
starting with the ad (rfc2307) backend, and I already have some questions.
I'm using Win10 RSAT, so I don't have the "Unix Attributes" tab but I
can still modify the attributes manually in the "Attributes" tab. I
understand how to change the attributes but I'm not clear on which
values to use.
The wiki says that "by default, ADUC starts assigning UIDs and GIDs at
10000". I haven't changed those defaults anywhere so this is what must
apply for my AD. But I don't understand how ADUC "assigns" anything. It
seems that I have to manually choose which values to enter, and I'm not
being restricted. So, I'm worried I will break something if I do a
mistake here.
For example, I gave the admin account a UID of 10000 and my Domain Users
group a GID of 10000. Was that the right thing to do? And where do I go
from here? Because I'm further confused by the sentence in the wiki
"Every time a UID/GID is assigned using ADUC, the next UID/GID is stored
inside the AD". So, this sounds that there has to be a strict rule which
number comes next.
By the way, is there a way that the server could just handle these
assignments automatically for me? Or is this the ldif script I would
have to write myself you were mentioning?
More information about the samba
mailing list