[Samba] samba 4 ad member - idmap = ad for machine accounts
Rowland Penny
rpenny at samba.org
Mon Sep 18 12:36:25 UTC 2017
On Mon, 18 Sep 2017 13:57:29 +0200
Kacper Wirski via samba <samba at lists.samba.org> wrote:
> I posted already, but here it is again (it's everythign except it has
> not 1 but ~10 SOMESHARE, all with exact same config)
Sorry, bad morning
>
> Full entry from smb.conf:
>
> [global]
> netbios name = VS-FILES
> security = ADS
> workgroup = MYDOMAIN
> realm = MYDOMAIN.COM
>
> log file = /var/log/samba/%m.log
> log level = 1
>
>
> idmap config *:backend = tdb
> idmap config *:range = 100-2000
>
> # idmap config for domain MYDOMAIN
> idmap config MYDOMAIN:backend = ad
> idmap config MYDOMAIN:schema_mode = rfc2307
> idmap config MYDOMAIN:range = 4000-99999
> #I'm gonna remove enum users/groups as recommended
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
> winbind expand groups = 5
> #i'm gonna remove this one too to avoid confusion
> winbind use default domain = yes
> winbind nss info = rfc2307
> vfs objects = acl_xattr
> map acl inherit = yes
> admin users = "@MYDOMAIN\Domain
> Admins","@MYDOMAIN\Enterprise Admins"
> store dos attributes = yes
>
> [SOMESHARE1]
> path = /home/shares/SOMESHARE1/
> read only = no
>
> [SOMESHARE2]
> path = /home/shares/SOMESHARE2/
> read only = no
> ......
> [SOMESHARE10]
> path = /home/shares/SOMESHARE10/
> read only = no
>
>
> .............
> Correct me please if I'm wrong, but:
> idmap = AD
> means that winbind on the samba 4 domain member, when idmapping
> domain users looks at:
> gidNumber
> uidNumber
> attributes set in AD for this users when mapping windows - to - unix
> users? At least these values i'm getting from samba 4 domain member
> when using getent for domain users and these values can be viewed
> when looking at files from unix perspective.
Yes that is correct
> At first I thought, that setting those values for machine accounts,
> as long as they're in range of the MYDOMAIN:range should be enough,
> but I was unable to make it work, I'm getting access denied.
OK, this (basically) is how the 'ad' backend works:
if a user has a uidNumber attribute that contains a number that is
inside the 'DOMAIN' range set in smb.conf (in your case 4000-99999)
AND the users primary group has a gidNumber inside the same range,
then that user becomes a Unix user.
This means that Domain Users must have a gidNumber for users to be
shown.
Computers are a bit different, they have a different primary group,
Domain Computers, so this means that this group needs a gidNumberto
make your uidNumber enabled computers known to Unix.
>
> Since changing from idmap = ad to idmap = rid fixes everything it
> leads me to believe some other attribute is checked by winbindd when
> doing domain-to-local user mappings.
>
No, using the 'ad' backend means the RFC2307 attributes are used, using
the 'rid' backend means they are ignored and the IDs are calculated
from the RID.
I think Louis needs to comment here, he seems to know all about using
'SYSTEM'.
Rowland
More information about the samba
mailing list