[Samba] idmaps, again
rpenny at samba.org
Fri Mar 22 10:01:04 UTC 2019
On Fri, 22 Mar 2019 10:38:26 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> Am 21.03.19 um 22:42 schrieb Rowland Penny via samba:
> > On Thu, 21 Mar 2019 22:34:02 +0100
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> >> Am 21.03.19 um 19:54 schrieb Rowland Penny via samba:
> >>> This is one of the decisions you have to make, do you want to have
> >>> the same ID's everywhere, or just on Unix domain members ?
> >> We only have one Unix domain member aside from the DCs and that is
> >> the samba file server.
> >>> Do you want to
> >>> set different login shells and/or different home directories ?
> >> nope
> >> the AD users don't do ssh or bash or so ... "only" file access and
> >> stuff like login/logout and GPOs etc
> >> (only I and the main admin there use ssh to the servers ...)
> > Then you don't really need to be using the 'ad' backend.
> >>> If you want the same ID's everywhere and the ability to set
> >>> different login shells/homedirectories for your users, then you
> >>> must use the 'ad' backend, this does involve adding uidNumber
> >>> attributes to the user objects. This is what the Unix Attributes
> >>> tab used to do.
> >>> If none of the above applies, then you can use the 'rid' backend,
> >>> this will give you the same ID's on all Unix domain members, but
> >>> all users that connect to the computer will get the same login
> >>> shell and homedirectory, you also will not have to add anything to
> >>> AD.
> >> And is it possible to change the backend from ad to rid with
> >> reasonable effort?
> > Yes and then again no ;-)
> > Yes, it is easy to change from 'ad' to 'rid', but you would also
> > have to change the file ownerships as well.
> ok, but that doesn't sound too bad: rather generic permissions there,
> we could solve that with some chmod-runs, I assume.
> They basically use one fat share and have rather simple ACLs in place.
It only really gets complicated if you have multiple shares and lots of
> Is there a specific procedure to follow for this change or is it
> simply editing smb.conf on the DM, restart, and editing the
Yes, that is basically it, the only thing I would add is to run 'net
cache flush' after restarting Samba.
> Would the users itself need some editing as well (inside LDAP/AD)?
This is really up to you, you could, if you so wish, remove all the
rfc2307 attributes from AD, or you could just ignore them.
More information about the samba