[Samba] [samba] Winbindd without RFC2307 question

mathias dufresne infractory at gmail.com
Fri Jul 21 09:58:15 UTC 2017


Hi all,

Rowland, thank you a lot for information about RFC2307 already present into
AD!

2017-07-20 16:48 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Thu, 20 Jul 2017 16:34:20 +0200
> mathias dufresne <infractory at gmail.com> wrote:
>
> >
> > I'm still explaining that to my client... but it seems this one like
> > mess. And I'm paid to do what they ask (after I told them what I
> > think of what they ask me to do, at least there's a fun part in that)
> >
>
> They are the people paying the money, so you just have to do what they
> want, even if they are wrong ;-)
>

Fortunately I can leave them when I want ;)
And as you gave me information about RFC2307 already present into AD schema
I will avoid the mess as I can use these attributes and then switch to:
idmap config CENTORIAL:backend = ad
idmap config CENTORIAL:schema_mode = rfc2307



>
> > If DC would generate their xID using some method as RID backend that
> > could have same lot of time regarding xID coherency and GPO
> > retrieval... at least to me.
>
> Yes it probably would be better, except for the problem of AD groups
> that need to be 'ID_MAP_BOTH'
>

Here I think you meant the fact Samba uses xID concept for UID and GID and
the fact in UNIX we can have same number used for one UID and one GID too.
If my guess is correct, as AD's SID are necessary unique the issue would
not happen as long as no UID/GID are manually declared into AD. If no
manual declaration of xID in AD then all xID will be generated by mapping
using RID method you described earlier. Or I missed something : )


>
> > Nothing like :/
> > They have a working MS AD domain which they are not too fond to
> > change. Even schema update to include RFC2307 seems too much...
>
> ER, have you checked the AD schema ? I think you might find that the
> RFC2307 attributes are already there.
>

I really owe you a beer ;)


>
> > Anyway I just learned they were attributing manually UID/GID using
> > scripts. Perhaps digging into them I'll find a list of
> > username:uid:gid:SID which would save a lot of... time.
>
> Sounds like you need to dump the AD database.
>

For that I finally found the list of attributed UID/GID per user. Having
the list I now just have to parse it to generate LDIF files to modify AD
(thanks again :p), nothing tricky.

Have a nice day!

mathias


>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list