[Samba] Users loose supplementary groups after a time
Orion Poplawski
orion at nwra.com
Fri May 15 18:27:11 UTC 2020
On 5/15/20 8:22 AM, Rowland penny via samba wrote:
> On 15/05/2020 14:56, Orion Poplawski wrote:
>> On 5/15/20 12:56 AM, Rowland penny via samba wrote:
>>> On 14/05/2020 21:59, Orion Poplawski via samba wrote:
>>>>
>>>> This configuration (dropping the username map script hack) seems to be
>>>> working
>>>> for us, does this seem correct?
>>>>
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 1000000-1999999
>>>> idmap config DOMAIN : backend = nss
>>>> idmap config DOMAIN : range = 1000-999999
>>>> winbind scan trusted domains = no
>>>
>>> Yes, that should work for your setup. It will map your local users to IPA
>>> users.
>>
>> Thanks for the response.
>>
>>> It isn't the way that I would do it though ;-)
>>>
>>> From what you have posted, you are mapping local users to IPA users and
>>> the IPA is in a trust with AD, I would just ignore IPA and join the
>>> computer to AD and get your users and groups directly. If you have AD, why
>>> not leverage it and have all users & groups stored in AD ?
>>
>> We do have all of our users and groups stored in AD :). But we also have
>> lots of Linux systems that are best managed via IPA. I suppose we could
>> have some that are just joined to AD, but I suspect that this would create
>> its own headaches and inconsistencies.
>
> Do you have any Samba shares ? From Samba 4.8.0 you cannot use sssd (not that
> I am saying you are using sssd).
Yes, the main issue here is around access to samba shares. I can't really
parse the statement that "you cannot use sssd". Of course we are using sssd.
That's what is resolving the the AD users into local unix users via the IPA -
AD trust. What exactly do you mean when you say that we cannot use sssd?
> I am struggling to understand just what IPA gives you, except for
> authentication and you can do this with Samba directly from AD.
Lots with regard to policy and authorization:
- Fine grained PAM access controls for each host, user, group, service.
- Centralized sudo rules.
- Certificate issuance and renewal.
- Centralized automount configuration.
> The whole idea behind AD is to get centralised authentication (which from my
> understanding is what IPA does), so why have two authentication centres ?
There's more to it then authentication :)
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 https://www.nwra.com/
More information about the samba
mailing list