[Samba] winbind BUILTIN config

Mircea Husz mirceahusz at yahoo.com
Fri Jan 27 22:00:11 UTC 2017 

Hi Roland,

Thank you for the explanation.
Allow me to press the point, I'd like to understand what I'm doing.
Is there value in me remapping them from their 3000000 - range default as I see it on the AD server?
What is the reason for specifying a lower range such as 3000-7999 ?


Thank you,
-Mike


On Friday, January 27, 2017 3:42 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:
On Fri, 27 Jan 2017 20:50:48 +0000 (UTC)
Mircea Husz via samba <samba at lists.samba.org> wrote:

> All,
> 
> We have a samba3 domain which provides logon services for Windows
> clients, and several cifs shares, some for Windows clients and some
> for linux servers to mount. I am testing samba 4.5.4 in a lab to
> understand all that needs to happen for a migration to AD on samba4.
> 
> During testing we bumped up against winbind config for linux member
> servers. Since we want users to authenticate against AD, the choice
> of back ends is tdb for the BUILTIN accounts, and ad four our domain. 
> 
> User accounts have unix UIDs / GIDs assigned and we configured the ad
> backend range to match the range of UIDs / GIDs. But I don't
> understand how to map the BUILTIN accounts in tdb. I noticed by
> checking on the AD server that BUILTINs have values starting at
> 30000000 for example 3000007(BUILTIN\users) 
> 
> So what is a sensible mapping for the BUILTIN accounts / groups? Or
> better yet, why not just let it be at the values hardcoded on the AD
> server? 
> 
> I need an algorithm that explains how to arrive at a workable range.
> 
> This is the relevant section from smb.conf, which, btw, works fine
> from what I can tell.
> 
> idmap config * : backend = tdb
> idmap config * : range = 30000-40000
> 
> idmap config MYDOM:backend = ad
> idmap config MYDOM:range = 10000-20000
> idmap config MYDOM:schema_mode = rfc2307
> 
> winbind nss info = rfc2307
> winbind use default domain = yes
> 
> 
> 
> Thanks,
> -Mike
> 

You could use the example ranges shown on the Samba wiki:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

This uses '3000-7999' for the '*' domain (Well Known SIDs etc) and 
'10000-999999' for the 'MYDOM' domain

With this you have space below '3000' for any local Unix users you
might need, starting the main domain at '10000' is inline with where
ADUC on Windows starts them.

You do not need to know the IDs of most of the Well Known SIDs, you
only need to give Domain Users a gidNumber containing a number inside
the 'MYDOM' range i.e. '10000'

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list