[Samba] accessing foreign AD users to NT domain

L.P.H. van Belle belle at bazuin.nl
Tue Aug 25 08:45:13 UTC 2020 

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 25 augustus 2020 10:08
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] accessing foreign AD users to NT domain
> 
> On 25/08/2020 08:31, L.P.H. van Belle via samba wrote:
> >> You can also get rid of some of the old ways of doing things
> >> (using the  RID as a Unix ID for one).
> > Why use RID. I cant use RID.. And RID is bad in my opionion.
> 
> ER, no, I think you misunderstood me ;-)
Yes definetly.. I must have misunderstood..  

> 
> With the old NT4-style domains it used be thought that using 
> the RID for 
> a Unix ID was a good idea e.g. if the RID was '1000' the Unix ID was 
> '1000'. Now this wasn't really a problem when you had to have a Unix 
> user and a Windows one, but later versions didn't, the users 
> could be in 
> ldap. The problem is now coming to the fore with the classic 
> upgrade and 
> if your Samba Unix ID's start at '1000', you cannot have any 
> local Unix 
> users, which is undoubtedly a problem on distros such as Ubuntu.

Ah, because if that, well, 15y ago when i did setup my old NT4PDC.
I already covered that uid problem.. I saw that coming, because of the setup i made. 

I used Smbldap tools these days and well, for me it was "logical" 
that you dont use the local available UID/GIDS and stay away from the local ranges.

Most simpel command/tip on Not using ranges of the systems is : 

grep -E "LAST_UID|LAST_GID" /etc/adduser.conf 

Results in Debian Buster to : 
LAST_UID=29999
LAST_GID=29999

So my (new) range now will be LAST_[G-U]ID +10001 
Trying to be future proof (again). 


> 
> > Im still waiting for Rowland's its patch to go in samba.
> > Its just crazy that even when we can use and add 
> UnixAttributes, its not stored in the AD.
> > This would help so much if its in, maintaining UID/GIDs 
> manualy is not an option, that's crazyness
> > And forces you into RID, but this is my personal opinion.
> >

> I have given up on that, there is always going to be a better way of 
> doing this, but it never turns up :-(
Well, i have an idea on that, but it has to wait untill im finish with my server(s)
Or my boss wont be happy.. 


> >> If you use 'acl_xattr', then the permissions might not be 
> set locally.
> > ? Uhm,, acl_xattr and the permissions might not be set locally.?
> >
> > What did i miss here?
> > the permissions might not be set locally.?  But then where 
> are the stored?
> 
> 'set' and 'stored' are different, you can 'set' them from windows but 
> they are stored locally ;-)
Ah, ok, im think i reallly missed a biggy here.. 

> 
> On a Samba Unix domain member, the permissions are stored in three 
> places, in the normal Unix acl (ugo) shown by 'ls', in extended ACLs 
> shown by 'getfacl' and in an EA shown by 'getfattr' or 'samba-tool'.
On this i also think we should make/have a compatibility matrix. 
Because if you use CHMOD/CHOWN on the wrong place it destroys your windows ACL.
Chmod/own is still use way to much in my opinion. 

> 
> > 15 years for me now, im replacing the server, i wrote a 
> manual for 15y ago.
> >
> > Here the windows xp, windows 7 and windows 10 do work, do 
> login without problems.
> > Only the drivermappings are shown disabled so now and then.
> >
> > And this shift users, so what happend, I really dont know, 
> but the simple net use command
> > Fix my problem, the problem is only with 1 server, and that 
> runs a samba 3.6.6
> > Im replacing it this week. Finaly.
> 
> Have you thought about contacting the Guinness book of 
> records ? for the  slowest update ever LOL.

Well that server its install took me 6 months but after that i havent touched it for 12 years.
The damn ding keeps working :-)... And to me that only shows how powerfull a good Samba server
setup can be. I've seen Novell, Bayes, Windows and for me, Linux + samba is all you need. 
You only need to take some time to set it up correctly.. 
Our network here is now 100% windows server free..  Next is moving Windows 10 out with its 
more and more crappy updates, and i think if found a nice replacement for it. 

And this upgrade, well, replacing that one is what im working on for few months already. 
It's a slow process, because i cant take it offline and i do way more here than only setup servers. 
Im helpdesk and support for everything here; 
pc's, software, printers, hardware, viop, vpns,  new installs and upgrades. 
Aahh.. So yeah, its a slow process when i work on my servers. 
Only 2 hands and a 1 guy ICT department. :-/ 
He, im happy that i have work these days so, ....  

Ok back to work or im not getting it done, and boss is back next week. 
I promised to have switched server by then..  ;-) 

 
Greetz, 

Louis

More information about the samba mailing list