[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers

Prunk Dump prunkdump at gmail.com
Fri Jan 12 20:01:57 UTC 2018 

Thank you very much for your help !!

The problem is that I need a way to create the ID numbers without
overwriting the previous one as I don't use ADUC but shell scripts.
This is why I use the xidNumber generation (on one specific DC) that
take care of that. This idea is not from me, it was used long time ago
by a Spanish IT that often come here ;) ( but his method has changed
maybe .... )

Is there a way built in Samba to do it ? Because, as my shares are
also exported with NFSv4, I need consistent id mapping between Samba
and NFS. This also help backing up files because they can be restored
on any file server by saving the ACLs and xattrs.

Do you think that is a good idea to assign to rfc2307 the xidNumber +
100000 to avoid idmap.ldb overwriting the ID ?

But there is still a problem for computer accounts. Is there exist a
automatic way to assign uidNumbers to computers when joining to the
domain ?

Thank again !

Baptiste.


2018-01-12 18:27 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Fri, 12 Jan 2018 18:14:05 +0100
> Björn JACKE via samba <samba at lists.samba.org> wrote:
>
>> On 2018-01-12 at 16:56 +0000 Rowland Penny sent off:
>> > Surely the authentication of choice would be kerberos and this
>> > wouldn't require a posix account.
>>
>> Rowland, you sound very confident, but still that doesn't make it
>> right. The posix account needs to exist for smbd to be able to switch
>> to the context of the connecting (computer) user. This is not a
>> matter of the authentication mechanism.
>>
>> Björn
>
> As far as I am aware, the client connects to a DC to authenticate a
> user and before the user is authenticated, the client is checked to see
> if it is a domain member. The method of choice for the computer
> authentication is kerberos, this does not require posix attributes.
>
> I am not disputing what you say, I am just asking for concrete proof
> that a computer account MUST have a uidNumber account.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list