[Samba] winbind question
Rowland penny
rpenny at samba.org
Sat Feb 15 22:02:24 UTC 2020
On 15/02/2020 21:31, Steve Thompson via samba wrote:
> On Sat, 15 Feb 2020, Rowland penny via samba wrote:
>
>> On 15/02/2020 19:15, Steve Thompson via samba wrote:
>>> Now I am using samba 4.11.6 on CentOS 7.7, patched up to date.
>> Have you compiled Samba yourself, or are you using Samba packages and
>> if so, where from ?
>>> The DC, on a KVM VM, is the only node configured so far. I am using
>>> winbind in place of sssd (my first experience with winbind). BIND9_DLZ
>>> pointing to a DNS hosted on the same virtual box.
>> What do you mean by 'DNS hosted on the same virtual box' ?
>>> The smb.conf is exactly as created by the domain provision, except
>>> that I
>>> added:
>>>
>>> ????winbind use default domain = yes
>>> ??????? winbind nss info = rfc2307
>> Those two do not work on a DC.
>
> OK, I removed them.
>
>>> All installation tests seem to work OK. I create a group and a user
>>> (username smt) with samba-tool, and add the appropriate loginShell,
>>> unixHomeDirectory, uidNumber and gidNumber attributes. The "wbinfo
>>> -i smt"
>>> command gives:
>>>
>>> ????VOYAGER\smt:*:1000:100::/fs/home/smt:/bin/zsh
>>
>> Is there a reason to use such low ID's ?
>
> UID's and GID's are already assigned (via file ownerships) for 2500
> users across many fileservers, and I do not really want to change them.
That is a good enough reason ;-)
>
>> I know where the '100' is coming from, you haven't given Domain Users
>> a gidNumber.
>
> I assigned a gidNumber to Domain Users, and now both wbinfo and getent
> return that number for the user's gid instead of the user's gidNumber
> from the database. This is wrong is it not? And it doesn't explain why
> the
> uid was incorrect also.
OK, on a DC, by default, the user & group ID's are allocated in
idmap.ldb (xidNumbers in the 3000000 range), but if you give a user a
uidNumber, this will be used instead of the xidNumber. The same goes for
a group, give it a gidNumber and this will be used instead of the
xidNumber. You can give every AD user a gidNumber attribute (which must
the gidNumber of an existing group) and it will be ignored on a DC.
If you want to use that users gidNumber, there is only one way, create a
Unix domain member running Samba >= 4.6.0 using idmap_ad and use 'idmap
config SAMDOM:unix_primary_group = yes' in smb.conf
>
>> Yes, do not use the DC as a fileserver ;-)
>
> I understand this.
>
>> You cannot use the loginShell, and unixHomeDirectory attributes on a
>> Samba AD DC
>
> I understand this too. I don't understand why this should be a
> limitation, though. I realize it was coded this way, but why?
>
I am with you, but there are numerous other reasons not to use a DC as a
fileserver.
Rowland
More information about the samba
mailing list