[Samba] DM 3.6.25 -> 4.x

Stefan G. Weichinger lists at xunil.at
Wed May 30 13:26:37 UTC 2018 

Am 2018-05-30 um 15:01 schrieb Rowland Penny via samba:

> There are three main winbind backends, but only two are really used on
> Unix domain members, the 'ad' and the 'rid' backends. Which you use is
> really down to a simple choice, do you want to add posix attrs to AD or
> not. If you don't want to add anything to AD, then use the 'rid'
> backend. If you do add the posix attrs to AD, then use the 'ad'
> backend.

I want to keep things as close to as they are with the current outdated
3.6.25 setup. This is why the former admin didn't update, I guess ;-)

So I think "rid" here. I want kind of "read only" access to ADS.

> Having decided which backend, you then have to decide on the ranges to
> use. If you use the 'rid' backend, then good ranges would be 3000-7999
> for the '*' domain and 10000-whatever_upper_limit_you_decide for your
> DOMAIN (there is a slight problem with this on Debian, they thought it
> was a good idea to use the ID 65534 for nobody/nogroup, but you can
> work around this). This will lead to to user & group IDs starting from
> '11000'
> 
> If you use the 'ad' backend, things are a little different, you
> probably can use the same '*' range as the 'rid' backend, but the 
> DOMAIN range will depend on the posix attrs in AD, so if the lowest
> uidNumber or gidNumber in AD is '10000', you could start at '10000'
> 
> Things to note:
> If you place the '*' range below the 'DOMAIN' range, you can easily
> expand the 'DOMAIN' range by increasing the upper range.
> 
> A user can have the same ID as a group, they will never be mixed up.
> 
> A 'rid' user with the ID 11000 is very very unlikely to be the same user
> as an 'ad' user with the same ID. i.e. If you run the 'ad' backend on
> one Unix domain member, but the 'rid' backend on another, your users
> will have different ID numbers.

And you think this is easy? ;-)

testparm shows:


# testparm -sv | grep idmap

	ldap idmap suffix =
	idmap backend = tdb
	idmap cache time = 604800
	idmap negative cache time = 120
	idmap uid =
	idmap gid =
	idmap config * : range = 10000 - 20000
	idmap config * : backend = tdb

So I would love to "convert" the existing ranges to new parameters,
without guessing or trying something.

the two lines

 idmap uid =
 idmap gid =

should be removed, I assume

> If you do not have the 'netbios name' line in smb.conf, you can use
> the smb.conf on all Unix domain members in the domain and you will
> always get the same numeric IDs.

It is there but afaik there is only this one domain member server right now.

thanks so far, Stefan

More information about the samba mailing list