[Samba] accessing foreign AD users to NT domain
L.P.H. van Belle
belle at bazuin.nl
Tue Aug 25 08:45:13 UTC 2020
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: dinsdag 25 augustus 2020 10:08
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] accessing foreign AD users to NT domain
> On 25/08/2020 08:31, L.P.H. van Belle via samba wrote:
> >> You can also get rid of some of the old ways of doing things
> >> (using the RID as a Unix ID for one).
> > Why use RID. I cant use RID.. And RID is bad in my opionion.
> ER, no, I think you misunderstood me ;-)
Yes definetly.. I must have misunderstood..
> With the old NT4-style domains it used be thought that using
> the RID for
> a Unix ID was a good idea e.g. if the RID was '1000' the Unix ID was
> '1000'. Now this wasn't really a problem when you had to have a Unix
> user and a Windows one, but later versions didn't, the users
> could be in
> ldap. The problem is now coming to the fore with the classic
> upgrade and
> if your Samba Unix ID's start at '1000', you cannot have any
> local Unix
> users, which is undoubtedly a problem on distros such as Ubuntu.
Ah, because if that, well, 15y ago when i did setup my old NT4PDC.
I already covered that uid problem.. I saw that coming, because of the setup i made.
I used Smbldap tools these days and well, for me it was "logical"
that you dont use the local available UID/GIDS and stay away from the local ranges.
Most simpel command/tip on Not using ranges of the systems is :
grep -E "LAST_UID|LAST_GID" /etc/adduser.conf
Results in Debian Buster to :
So my (new) range now will be LAST_[G-U]ID +10001
Trying to be future proof (again).
> > Im still waiting for Rowland's its patch to go in samba.
> > Its just crazy that even when we can use and add
> UnixAttributes, its not stored in the AD.
> > This would help so much if its in, maintaining UID/GIDs
> manualy is not an option, that's crazyness
> > And forces you into RID, but this is my personal opinion.
> I have given up on that, there is always going to be a better way of
> doing this, but it never turns up :-(
Well, i have an idea on that, but it has to wait untill im finish with my server(s)
Or my boss wont be happy..
> >> If you use 'acl_xattr', then the permissions might not be
> set locally.
> > ? Uhm,, acl_xattr and the permissions might not be set locally.?
> > What did i miss here?
> > the permissions might not be set locally.? But then where
> are the stored?
> 'set' and 'stored' are different, you can 'set' them from windows but
> they are stored locally ;-)
Ah, ok, im think i reallly missed a biggy here..
> On a Samba Unix domain member, the permissions are stored in three
> places, in the normal Unix acl (ugo) shown by 'ls', in extended ACLs
> shown by 'getfacl' and in an EA shown by 'getfattr' or 'samba-tool'.
On this i also think we should make/have a compatibility matrix.
Because if you use CHMOD/CHOWN on the wrong place it destroys your windows ACL.
Chmod/own is still use way to much in my opinion.
> > 15 years for me now, im replacing the server, i wrote a
> manual for 15y ago.
> > Here the windows xp, windows 7 and windows 10 do work, do
> login without problems.
> > Only the drivermappings are shown disabled so now and then.
> > And this shift users, so what happend, I really dont know,
> but the simple net use command
> > Fix my problem, the problem is only with 1 server, and that
> runs a samba 3.6.6
> > Im replacing it this week. Finaly.
> Have you thought about contacting the Guinness book of
> records ? for the slowest update ever LOL.
Well that server its install took me 6 months but after that i havent touched it for 12 years.
The damn ding keeps working :-)... And to me that only shows how powerfull a good Samba server
setup can be. I've seen Novell, Bayes, Windows and for me, Linux + samba is all you need.
You only need to take some time to set it up correctly..
Our network here is now 100% windows server free.. Next is moving Windows 10 out with its
more and more crappy updates, and i think if found a nice replacement for it.
And this upgrade, well, replacing that one is what im working on for few months already.
It's a slow process, because i cant take it offline and i do way more here than only setup servers.
Im helpdesk and support for everything here;
pc's, software, printers, hardware, viop, vpns, new installs and upgrades.
Aahh.. So yeah, its a slow process when i work on my servers.
Only 2 hands and a 1 guy ICT department. :-/
He, im happy that i have work these days so, ....
Ok back to work or im not getting it done, and boss is back next week.
I promised to have switched server by then.. ;-)
More information about the samba