[Samba] suddenly change: idmap uid + gid
Alexey A Nikitin
nikitin at amazon.com
Tue Nov 5 20:57:36 UTC 2019
On Tuesday, 5 November 2019 12:42:29 PST Rowland penny via samba wrote:
> On 05/11/2019 20:03, Alexey A Nikitin wrote:
> > In my case I have no control over the domain, and I have neither control nor knowledge ahead of time whether there is one domain or whole forest of domains or even cross-forest trust relationships, all I know is the name of the domain where the primary user of a given machine resides. Because I have no control over the domain I cannot make use of RFC2307 attributes and 'ad' backend, because I don't know the number of the domains I have to use 'autorid' backend, or so I understand so far. You're saying that if there is only one domain then 'autorid' should not be used.
> No, that is not what I said, I said that there is no point in using
> 'rid' with 'autorid' and if you have only one domain, you can you use
> the 'rid' or 'ad' winbind backends, but there is nothing stopping you
> using 'autorid' instead.
> > Is it because of technical reasons, or simply because it is an overkill for single domain use case? IIRC earlier you (or someone else) said that there is a way to allocate subrange for a given domain with autorid before anyone from that domain authenticates on the machine (I have the notes, I'm just to lazy to pull them up right now), my understanding is that with that approach I can use 'autorid' backend regardless of the number of the domains in a forest.
> You can use 'autorid' with one or more domains, it is just that
> 'autorid' was written to ease the setup of smb.conf with multiple domains.
> I would suggest that if you have (or think you might have) more than one
> domain, then use 'autorid'. If you only have one domain and will never
> have more than one and do not need RFC2307 attributes, then use 'rid',
> If you need the RFC2307 attributes, then use 'ad'
> Just use the backend that fits your requirements, but set it up
> correctly, for more info, read the relevant manpage:
> 'ad' : man idmap_ad
> 'rid' : man idmap_rid
> 'autorid' : man idmap_autorid
Cool, that's exactly what I was asking, thank you for clarifying.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: This is a digitally signed message part.
More information about the samba