[Samba] idmaps, again

Rowland Penny rpenny at samba.org
Fri Mar 22 10:01:04 UTC 2019 

On Fri, 22 Mar 2019 10:38:26 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 21.03.19 um 22:42 schrieb Rowland Penny via samba:
> > On Thu, 21 Mar 2019 22:34:02 +0100
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> >   
> >> Am 21.03.19 um 19:54 schrieb Rowland Penny via samba:
> >>  
> >>> This is one of the decisions you have to make, do you want to have
> >>> the same ID's everywhere, or just on Unix domain members ?     
> >>
> >> We only have one Unix domain member aside from the DCs and that is
> >> the samba file server.
> >>  
> >>> Do you want to
> >>> set different login shells and/or different home directories ?    
> >>
> >> nope
> >>
> >> the AD users don't do ssh or bash or so ... "only" file access and
> >> stuff like login/logout and GPOs etc
> >>
> >> (only I and the main admin there use ssh to the servers ...)  
> > 
> > Then you don't really need to be using the 'ad' backend.
> >   
> >>  
> >>> If you want the same ID's everywhere and the ability to set
> >>> different login shells/homedirectories for your users, then you
> >>> must use the 'ad' backend, this does involve adding uidNumber
> >>> attributes to the user objects. This is what the Unix Attributes
> >>> tab used to do.
> >>>
> >>> If none of the above applies, then you can use the 'rid' backend,
> >>> this will give you the same ID's on all Unix domain members, but
> >>> all users that connect to the computer will get the same login
> >>> shell and homedirectory, you also will not have to add anything to
> >>> AD.    
> >>
> >> And is it possible to change the backend from ad to rid with
> >> reasonable effort?  
> > 
> > Yes and then again no ;-)
> > 
> > Yes, it is easy to change from 'ad' to 'rid', but you would also
> > have to change the file ownerships as well.  
> 
> ok, but that doesn't sound too bad: rather generic permissions there,
> we could solve that with some chmod-runs, I assume.
> 
> They basically use one fat share and have rather simple ACLs in place.

It only really gets complicated if you have multiple shares and lots of
users.

> 
> Is there a specific procedure to follow for this change or is it
> simply editing smb.conf on the DM, restart, and editing the
> permissions?

Yes, that is basically it, the only thing I would add is to run 'net
cache flush' after restarting Samba.

> 
> Would the users itself need some editing as well (inside LDAP/AD)?

This is really up to you, you could, if you so wish, remove all the
rfc2307 attributes from AD, or you could just ignore them.

Rowland

More information about the samba mailing list