[Samba] Samba ADS-member-server: FQDNs in /etc/hosts

Stefan G. Weichinger lists at xunil.at
Tue Jul 11 11:37:35 UTC 2017


Am 2017-07-11 um 13:28 schrieb Rowland Penny:

>>> Of course, using the 'rid' backend means that you do not need to add
>>> anything to AD and you do not need this line in smb.conf:
>>>
>>>   idmap config BUERO:schema_mode = rfc2307
>>>
>>> Or you could just change 'idmap config BUERO:backend = rid' to
>>> 'idmap config BUERO:backend = ad' and use the rfc2307 attributes in
>>> AD.
>>
>> I would prefer not to have to decide this. You understand? ;-)
> 
> I think the decision has been made for you, if anything has been stored
> on the DM, it will belong to the IDs that the 'rid' backend has
> created/allocated to your users & groups.

and:

After browsing

https://wiki.samba.org/index.php/Idmap_config_ad

and

https://wiki.samba.org/index.php/Idmap_config_rid

I would prefer "rid" to be honest ... ;-)


It's a "one fileserver" environment for now and will be for a long time,
so I think rid does fulfill the requirements.

So it would be simply:

* remove line "idmap config BUERO:schema_mode = rfc2307" on DM

* reload/restart smbd/nmbd/winbind on DM

?

Would that affect sessions?
Should I order all users to log out first or so?


>> What's the recommendation here, I don't have a clue, I would just like
>> to be able to change this to a working config without doing damage to
>> active sessions, if possible. This is productive environment right
>> now.
> 
> If you want to use the 'ad' backend, you are going to have to do some
> work. You will have to find out what is stored on the DM and who owns
> it. You will then have to find (from AD) the correct ID number. Stop
> Samba, change smb.conf, restart Samba then change the ownership of the
> files etc.

No, see above. I think I go "rid".

>> To me it sounds preferable to have everything in AD, right? At least
>> that is what I expect from having all that: all in one place somehow
> 
> Having everything in AD, gives you the possibility of using different
> Unix home dirs etc per person.

Not needed. I am the only UNIX user there.

I only need separate [home] dirs for a group of users:

some customers of my customer come by to do some work with a specific
software and I want to connect them to a specific user-folder on the
server, using the [homes] mechanism.

? Would that be impossible then ?

>> Can't remember exactly where rid comes from, I think it was a
>> recommendation by Louis for my test VM (which then was migrated to
>> this DC).
> 
> It should work, but only if the users or groups RID + 10000 is inside
> the range you have set in smb.conf (in your case 10000-99999)
> 
> You can change the upper number in the range to a higher number without
> affecting anything else, but you will need to reload or restart Samba

ok

The mentioned user with 10029 was within that range (*scratch*), did the
schema mode make things crash here?

>> Pls also advise if there are any additional steps needed for any of
>> these solutions. I always feel unsure if and if not to add some ids
>> and mappings somewhere ....
>>
> 
> You could ensure that winbind is installed and running (I know it
> probably is, but...)

It is, it is.

thanks a lot for your help and patience.
But be honest: all that ain't easy stuff, right?

:-)



More information about the samba mailing list