[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?
Rowland penny
rpenny at samba.org
Thu Jun 4 14:12:07 UTC 2020
On 04/06/2020 15:07, Harald Hannelius via samba wrote:
>
> On Thu, 4 Jun 2020, Rowland penny via samba wrote:
>> On 04/06/2020 14:46, Harald Hannelius via samba wrote:
>>>
>>> So the best way for me would be to implement the RFC2307/SFU schema
>>> in the Windows AD "AD", add the same uidNumber for every user in
>>> "AD" as they had in the old "Samba" domain, and then just join the
>>> fileservers to the "AD" domain?
>>>
>>> Then I change the map-range to be like it was for the "SAD" domain.
>>>
>>> It's more like migrating filesystems with users and groups tied to
>>> files than just migrating users.
>>
>> Yes you could do that, but don't forget groups as well and if you do
>> not have any groups (usergroups count as no groups), ensure that
>> Domain Users has a gidNumber inside whatever range you end up with.
>
> Ouch. I forgot my groups. Have to calculate them in as well.
>
> And another ouch is I would not be able to utilize my Samba AD which I
> like much better than the Windows version.
>
> If I remember correctly, there's no additional idmap range for groups
> but they are rather inside the same numeric range as users in AD? So I
> now have duplicate idmap numbers because they originate from users and
> groups?
Yes, users and groups do use the same range, a user is not a group, so
you can have a user with the ID 10000 and a group can also have the ID
10000 e.g. getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
Rowland
More information about the samba
mailing list