[Samba] D.C. and File Server on the same server...

Linda W samba at tlinx.org
Thu Nov 10 22:41:48 UTC 2016

Rowland Penny via samba wrote:
> On Wed, 09 Nov 2016 15:20:41 -0800
> Linda W <samba at tlinx.org> wrote:
>>>>     I have been waiting for the 4.x server to become a full server
>>>> before upgrading from 3.6.22, but it is getting a bit long in the
>>>> tooth. The requirement that in upgrading to 4.x I'll still need to
>>>> run a 3.6 server made the upgrade seem like alot of work for
>>>> little gain (I only have a few users and most of them are "virtual
>>>> me's"...). 
>>> Samba 4 is capable of being a full AD DC.
>> ---
>>     But is it capable of being a full 3.6.xx file server with the
>> same flexibility in mapping windows-ID's to local unix ID's?
> This is the 'old' way of doing things and Microsoft seems to be trying
> to make it harder and harder to work with non-AD servers.
    Yeah... lovely.
> So no, you don't map windows users to local Unix users, you make them
> local Unix users.
    But I can create unix id's that are not windows domain id's.
Various software packages installed on the server want their own ID --
and many of those have nothing to do with Windows.  If I create
the Id from windows, it creates a unix ID as well -- so I think that's
already being done, though not always automatically -- especially if
I have an existing unix ID that I want to have available on windows.
>>     For example, I have the security groupings in my server's
>> /etc/group file:
>> Low Mandatory Level:!:11604096:
>> Medium Mandatory Level:!:11608192:
>> Medium Plus Mandatory Level:!:11608448:
>> High Mandatory Level:!:11612288:
>> System Mandatory Level:!:11616384:root
>>     on the server, so when I login to windows and bring up cygwin,
>> I see my security label in my group listing.  I have several
>> Win-builtin and well-known ID ranges mapped to unix-ID ranges and
>> that works (at least for identification purposes -- you can't
>> force a Mandatory-level your user id doesn't already have in windows,
>> but it will show ones you do have if there is a label for them
>> in "winbind".  I use winbind to provide a single-signon from
>> linux or win with the file ownerships being the same for domain RID's
>> on linux and on windows (win7).
> Just create the groups in AD and you probably wont need cygwin.
    I don't need cygwin.  It is handy for printing out all the ID's
associated with a login -- including the mandatory labels.  All of that
isn't in one place on windows -- I used cygwin as an example as it's
an easy way to verify what groups are associated with my ID, which
for Domain groups, you can't easily see in Windows (maybe you can
w/AD, dunno).

>>> If you use the DC as a fileserver, then there are a few minor
>>> problems you need to work around, mostly to do with IDs
>> ----
>>     "Minor problems" -- enough so that it is recommended to run them
>> on separate machines?
> OK, the main visible problems are, A DC uses xidNumber's by default,
> these are all in the '3000000' range and any Unix domain members will
> get different IDs. You can work around this by giving Domain users &
> groups a uidNumber or gidNumber, this way, they all get the same ID
> everywhere in Unixland.
> You cannot use the login shell & Unix home directory attributes from AD
> on a DC, you have to use template lines in smb.conf.
    Why not?  Can't I configure that range?... FWIW, though, right
now my ID's all map to the same range (as don't rely on auto-allocation),
like   "idmap config *:range = 0-999999999"  -- just wanted to
make it include all of my mapped ranges.

   I'm not adverse to solving things w/symlinks or mounts on
unix.  For example, I have 'Athenae's (one of my win machines) disk
mounted at '/Athenae' on my unix machine. When I use 'ls -l', on that dir,
I see links on my win-machine that map to corresponding locations on
my unix machine, like:
l--------- 1            0 Sep 24 14:55 D -> /??/UNC/Bliss/Documents/
l--------- 1            0 Jun 13 18:40 Documents -> /??/UNC/Bliss/Documents/

I.e. the links work the same whether you are on the windows
or the linux machine.  Only works for me at this point, but
since I'm the only person who works on the unix machine, that's
fine at this point.

> You don't really need most of the BUILTIN users & groups to be visible
> to Unix, winbind will silently map them for you with 'idmap config
> *:backend = tdb'
    I need them visible if I want them to display on the
Win machines in security dialogs showing users or groups from
the domain.  I.e. I generally see all of the available ID's
on my server -- which is good, as I don't remember them all,
and they aren't visible on my workstation.  So configuring
the server to enumerate them when I ask for all ID's of a type,
is very convenient if not essential (at least for me, as I don't
use all of them often enough to remember them).

> No, you probably can't have it as easy as you have it now, with AD you
> can have it easier ;-)
    For those that already know all the ins and outs, it's "obvious",
for those who don't -- it's magic... (akin to sufficiently advanced
technology looking like magic... ;-)).

More information about the samba mailing list