[Samba] idmap_ad overlap with domain and sub-domain overlap
Wvu Hpc
wvu.hpc at gmail.com
Wed Apr 18 14:52:12 UTC 2018
Hi Rowland,
Thanks for the help and ideally I would like to get rid of the sub domain
all together but that is probably not going to happen.
So couple comments and please forgive any of my ignorance.
For your second question, all users in the subdomain who have access to the
SAMBA server do have uidNumber set and it matches the uidNumber set in
MASTER. Since this is the case, would the overlapping ranges be OK? I saw
this post (
https://lists.samba.org/archive/samba-technical/2016-December/117567.html)
and thought it might indicate it is OK but was not sure?
For 'winbind use default domain = Yes' I thought this would assume the
default domain for ssh logins as being the master since I have "idmap
config MASTER:default = yes". Appears to work as it allows users to login
without having to specify a domain. Although, if a user from the SUB
domain logs in they must specify the SUB\user to login. Is that
incorrect? If I remove use default = yes, users of MASTER must also
specify their domain during login ... at least that is how it seemed during
testing?
Thanks again!
On Wed, Apr 18, 2018 at 10:38 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 18 Apr 2018 10:02:53 -0400
> Wvu Hpc via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > We are in process of providing access to a AD connected master domain
> > and one its subdomains to one of our SAMBA 4.6.2 file-share servers.
> > The samba server is a member of the MASTER domain. The problem is we
> > have cases where the same person has an account in both the master
> > domain and the sub domain (long story and we know it is not a good
> > practice but something I am powerless to change). The person (see
> > example below for further clarity) has the same unix attributes set
> > in both the domain and sub-domain. When you run testparm it
> > complains of having the range overlap but the config seems to be
> > working OK. Is there any reason we should not go forward with this
> > config or should we push back and make the users in the subdomain
> > have the different uid and gid numbers from the master domain? The
> > benefit of having the same uid and gid is we don't have to worry
> > about changing file ownership if a user moves between domains.
> >
> > Example:
> >
> > MASTER\user : uidNumber = 10000 : gidNumber = 10000
> > SUB\user : uidNumber = 10000 : gidNumber = 10000
> >
> > SMB Config:
> >
> > # Global parameters
> > [global]
> > workgroup = MASTER
>
> > winbind use default domain = Yes
> > idmap config MASTER:schema_mode = rfc2307
> > idmap config MASTER:range = 9000-5000000000
> > idmap config MASTER:default = yes
> > idmap config MASTER:backend = ad
> > idmap config SUB:schema_mode = rfc2307
> > idmap config SUB:range = 9000-5000000000
> > idmap config SUB:backend = ad
> > idmap config * : backend = tdb
> > idmap config *:range = 3000-8999
> >
>
> Firstly, you cannot use 'winbind use default domain = Yes' if you have
> more than one domain in smb.conf.
> Secondly, as you already know, you cannot the same range for both
> domains. Yes I know that some of the users have the same uidNumber in
> both domains, but what about the ones that don't ?
>
> I would remove the 'winbind use default domain' line and then use the
> 'rid' backend for the 'SUB' domain with a different range:
>
> idmap config SUB:range = 5000000001-10000000000
> idmap config SUB:backend = rid
>
> This will probably entail changing the ownership of files and dirs
>
> You say you have no control of the domains, but I would be having
> words with whoever does have control, mentioning words like 'stupid'
> and 'idiot' ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list