[Samba] id mapping
Patrick Goetz
pgoetz at math.utexas.edu
Sun Sep 19 18:39:58 UTC 2021
To clarify, my previous message, the proposed configuration would be for
a linux Samba file server bound to the domain, not the DC, for which, I
believe, it is not recommended to use the RFC2307 mappings (also not
sure why this is, but since I'm not letting uses login in to the DC, it
doesn't matter much).
On 9/19/21 1:16 PM, Patrick Goetz via samba wrote:
> Hi -
>
> This question is with reference to:
> https://wiki.samba.org/index.php/Idmap_config_ad
>
> I think I know how this works, but there are still points of confusion.
> Given the example smb.conf file provided on the page referenced above:
>
> [global] section of smb.conf:
> -------------------------------------
> security = ADS
> workgroup = SAMDOM
> realm = SAMDOM.EXAMPLE.COM
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-999999
> idmap config SAMDOM:unix_nss_info = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> -------------------------------------
>
> I believe "Default domain" is a bit of a misnomer referring to accounts
> that are identified by nss before it gets to winbind or sssd; i.e.
> accounts found in /etc/passwd. So on this system (assuming no other
> directory services are configured), UIDs 3000-7999 are available for use
> in /etc/passwd. What I don't understand is why you're assigning a tdb
> backend to this when the authentication is going to be handled by
> pam_unix rather than pam_windbind. That's the main point of confusion.
>
>
> Second, I'm assuming these 2 lines:
>
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-999999
>
> Refer to the values that can be set for the uidNumber attribute in the
> Active Directory database and further that users authenticating on this
> linux system will have the UIDs and GIDs specified in the uidNumber and
> gidNumber attributes associated with their user record.
>
> It seems like you don't necessarily need:
>
> idmap config SAMDOM:unix_nss_info = yes
>
> if everyone uses the same default shell and has the same home directory
> path; i.e. if these can be set using a global template.
>
> Based on the correctness of the above, I"m converting a small NT domain
> to Active Directory (by hand). The environment has several linux
> machines with local UIDs assigned in the 1001-2000 range (but with the
> UIDs the same across the linux hosts). Since I don't plan to bind most
> of the linux machines to the domain (there is a vague user-driven
> business case for this), I would like the authorization to work the same
> for Samba shares to AD bound Windows machines and the standalone linux
> workstations, since these systems mount the same remote filesystems via
> either SMB or NFS in the case of the linux systems. So my thought is to
> do something like this:
>
> portion of [global] section of smb.conf
> -------------------------------------
> idmap config * : backend = tdb
> idmap config * : range = 2000-2999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 1001-1999
> -------------------------------------
>
> Again, very unclear why I'm configuring a tdb database for local
> accounts, if my understanding of how this works is correct. This would
> reserve the UIDs 2000-2999 for potential local use, while creating an AD
> UID mapping that seamlessly works with the existing linux systems. Then
> if I do end up binding some of these linux machines to the domain,
> everything just works with no acl mapping, or anything like this.
>
> Any thoughts? Am I confused about how this works? My understanding of
> how the default domain works is based on this RHEL article:
> https://access.redhat.com/solutions/1984483
>
>
>
>
More information about the samba
mailing list