[Samba] D.C. and File Server on the same server...

Rowland Penny rpenny at samba.org
Fri Nov 11 08:46:13 UTC 2016


On Thu, 10 Nov 2016 14:41:48 -0800
Linda W <samba at tlinx.org> wrote:

> Rowland Penny via samba wrote:

> >   
> ----
>     But I can create unix id's that are not windows domain id's.
> Various software packages installed on the server want their own ID --
> and many of those have nothing to do with Windows.  If I create
> the Id from windows, it creates a unix ID as well -- so I think that's
> already being done, though not always automatically -- especially if
> I have an existing unix ID that I want to have available on windows.

If you are talking about 'system' accounts (postfix, dovecot, apache,
etc) then these do belong in /etc/passwd and /etc/group. As far as I am
aware, windows doesn't use Unix IDs, it uses SID-RIDs

> >>
> >>     on the server, so when I login to windows and bring up cygwin,
> >> I see my security label in my group listing.  I have several
> >> Win-builtin and well-known ID ranges mapped to unix-ID ranges and
> >> that works (at least for identification purposes -- you can't
> >> force a Mandatory-level your user id doesn't already have in
> >> windows, but it will show ones you do have if there is a label for
> >> them in "winbind".  I use winbind to provide a single-signon from
> >> linux or win with the file ownerships being the same for domain
> >> RID's on linux and on windows (win7).
> >>     
> >
> > Just create the groups in AD and you probably wont need cygwin.
> >   
> ----
>     I don't need cygwin.  It is handy for printing out all the ID's
> associated with a login -- including the mandatory labels.  All of
> that isn't in one place on windows -- I used cygwin as an example as
> it's an easy way to verify what groups are associated with my ID,
> which for Domain groups, you can't easily see in Windows (maybe you
> can w/AD, dunno).

OK, if you create a user or group in AD it gets a SID-RID, this is one
for Domain Users:

S-1-5-21-1768301897-3342589593-1064908849-513

If I run 'getent group Domain\ Users' on a Unix domain member, I get
this:

domain_users:x:10000:

What! a windows group is usable on Unix, how is this possible ?

This is possible because you can add this to the groups object in AD:

gidNumber: 10000


> 
> >   
> >>>   
> >>> If you use the DC as a fileserver, then there are a few minor
> >>> problems you need to work around, mostly to do with IDs
> >>>   
> >>>       
> >> ----
> >>     "Minor problems" -- enough so that it is recommended to run
> >> them on separate machines?
> >>     
> >
> > OK, the main visible problems are, A DC uses xidNumber's by default,
> > these are all in the '3000000' range and any Unix domain members
> > will get different IDs. You can work around this by giving Domain
> > users & groups a uidNumber or gidNumber, this way, they all get the
> > same ID everywhere in Unixland.
> > You cannot use the login shell & Unix home directory attributes
> > from AD on a DC, you have to use template lines in smb.conf.
> >   
> ---
>     Why not?  Can't I configure that range?... FWIW, though, right
> now my ID's all map to the same range (as don't rely on
> auto-allocation), like   "idmap config *:range = 0-999999999"  --
> just wanted to make it include all of my mapped ranges.

Firstly, you shouldn't be starting your range at '0', but that is your
decision. As I said, you do not map, you make your windows users &
groups be Unix users & groups, you are also at liberty to give your
users and groups whatever ID number you like.

> 
>    I'm not adverse to solving things w/symlinks or mounts on
> unix.  For example, I have 'Athenae's (one of my win machines) disk
> mounted at '/Athenae' on my unix machine. When I use 'ls -l', on that
> dir, I see links on my win-machine that map to corresponding
> locations on my unix machine, like:
> l--------- 1            0 Sep 24 14:55 D -> /??/UNC/Bliss/Documents/
> l--------- 1            0 Jun 13 18:40 Documents
> -> /??/UNC/Bliss/Documents/
> 
> I.e. the links work the same whether you are on the windows
> or the linux machine.  Only works for me at this point, but
> since I'm the only person who works on the unix machine, that's
> fine at this point.
> 
>

Never tried to do this, but it should work on AD as well. Only thing
is, it is usually done the other way around, i.e. the data is stored
on a Unix machine and then mounted on the windows machine. 
 
> > You don't really need most of the BUILTIN users & groups to be
> > visible to Unix, winbind will silently map them for you with 'idmap
> > config *:backend = tdb'
> >   
> ---
>     I need them visible if I want them to display on the
> Win machines in security dialogs showing users or groups from
> the domain.  I.e. I generally see all of the available ID's
> on my server -- which is good, as I don't remember them all,
> and they aren't visible on my workstation.  So configuring
> the server to enumerate them when I ask for all ID's of a type,
> is very convenient if not essential (at least for me, as I don't
> use all of them often enough to remember them).

Go here and read:

https://support.microsoft.com/en-us/kb/243330

They are the BUILTIN users and groups I was referring to, if these
aren't visible on your windows machines, then you have BIG problems.
If you are referring to Unix users and groups, then, as I said, create
them as windows users & groups and then give them a uidNumber or
gidNumber.

> 
> 
> > No, you probably can't have it as easy as you have it now, with AD
> > you can have it easier ;-)
> >   
> ----
>     For those that already know all the ins and outs, it's "obvious",
> for those who don't -- it's magic... (akin to sufficiently advanced
> technology looking like magic... ;-)).
> 
> 

I would start reading up on using Samba as an AD domain, microsoft
doesn't want you to use NT4-style domains any more and seems to be
making it harder and harder to use them.

A good place to start is here:

https://wiki.samba.org/index.php/Main_Page

Rowland



More information about the samba mailing list