[Samba] idmaps, again

Stefan G. Weichinger lists at xunil.at
Fri Mar 22 09:38:26 UTC 2019 

Am 21.03.19 um 22:42 schrieb Rowland Penny via samba:
> On Thu, 21 Mar 2019 22:34:02 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> 
>> Am 21.03.19 um 19:54 schrieb Rowland Penny via samba:
>>
>>> This is one of the decisions you have to make, do you want to have
>>> the same ID's everywhere, or just on Unix domain members ?   
>>
>> We only have one Unix domain member aside from the DCs and that is the
>> samba file server.
>>
>>> Do you want to
>>> set different login shells and/or different home directories ?  
>>
>> nope
>>
>> the AD users don't do ssh or bash or so ... "only" file access and
>> stuff like login/logout and GPOs etc
>>
>> (only I and the main admin there use ssh to the servers ...)
> 
> Then you don't really need to be using the 'ad' backend.
> 
>>
>>> If you want the same ID's everywhere and the ability to set
>>> different login shells/homedirectories for your users, then you
>>> must use the 'ad' backend, this does involve adding uidNumber
>>> attributes to the user objects. This is what the Unix Attributes
>>> tab used to do.
>>>
>>> If none of the above applies, then you can use the 'rid' backend,
>>> this will give you the same ID's on all Unix domain members, but
>>> all users that connect to the computer will get the same login
>>> shell and homedirectory, you also will not have to add anything to
>>> AD.  
>>
>> And is it possible to change the backend from ad to rid with
>> reasonable effort?
> 
> Yes and then again no ;-)
> 
> Yes, it is easy to change from 'ad' to 'rid', but you would also have
> to change the file ownerships as well.

ok, but that doesn't sound too bad: rather generic permissions there, we
could solve that with some chmod-runs, I assume.

They basically use one fat share and have rather simple ACLs in place.

Is there a specific procedure to follow for this change or is it simply
editing smb.conf on the DM, restart, and editing the permissions?

Would the users itself need some editing as well (inside LDAP/AD)?

thanks!

More information about the samba mailing list