[Samba] idmap config ad

Viktor Trojanovic viktor at troja.ch
Mon Jan 28 14:38:41 UTC 2019


On 28.01.2019 15:27, Rowland Penny via samba wrote:
> On Mon, 28 Jan 2019 09:10:58 -0500
> Sonic via samba <samba at lists.samba.org> wrote:
>
>> Trying to use the idmap config ad on a domain member. The AD is an
>> actual Windows server and when logged in the AD server running ADUC
>> the NIS domain field on the UNIX attributes tab only shows a dash and
>> is cannot be changed.
> Does Domain Users have a gidNumber attribute containing a number
> inside the 10000-99999' range ?
>
> Do any Active directory groups have such a gidNumber ?
>
>> Domain member is RHEL 7.6 running Samba 4.8.3.
>>
>> Pertinent part of smb.conf:
>> =====================================
>> [global]
>>          security = ADS
>>          workgroup = MYDOMAIN
>>          realm = MYDOMAIN.LOCAL
>>          server string = mydomain
>>
>>          kerberos method = secrets and keytab
>>          winbind refresh tickets = yes
>>
>>          idmap config * : backend = tdb
>>          idmap config * : range = 3000-8999
>>          idmap config MYDOMAIN : backend = ad
>>          idmap config MYDOMAIN : schema_mode = rfc2307
>>          idmap config MYDOMAIN : range = 10000-99999
>>          idmap config MYDOMAIN : unix_nss_info = yes
>>
>>          vfs objects = acl_xattr
>>          map acl inherit = yes
>>          store dos attributes = yes
>> =====================================
>>
>> The documentation seems to strictly point to using a Samba AD with the
>> RSAT utility and here we're logged right on to the Windows AD using
>> the native ADUC application.
> ADUC is part of RSAT and the Samba 'ad' backend works in the same way
> that the Unix Attributes tab dows.
>
> Rowland

Hi Rowland,

I read this post and started wondering myself. If the DC is a Windows 
one, then I assume uid and gid creation is being handled automatically 
by Windows Server. If that's correct, then I assume the ad backend is 
the best one to use as the disadvantages mentioned in the wiki all 
disappear, leaving only advantages. So, one only had to make sure that 
the uids and gids created in the AD are within the range mentioned in 
the smb.conf. Which begs the question, is it possible to influence this?

Viktor





More information about the samba mailing list