[Samba] Samba winbind backend to AD

[Rowland Penny]

On Thu, 2022-05-12 at 15:07 +0000, Vaughan, Robert J via samba wrote:
> Hello everyone
> 
> We are using Samba as AD domain members right now (Solaris and Red
> Hat Linux) and the UNIX posix data is stored in a UNIX LDAP (Oracle
> OUD)
> 
> Since we have to start using winbind we were thinking to either move
> the UNIX posix data to AD or possibly use backend rfc2307 to use the
> existing LDAP?
> 
> Can rfc2307 backend use a ldaps uri?

Depends on the Samba version, I have never used idmap_2307 but the
manpage says that 'ldap ssl ads' needs to be set in the smb.conf file
if connecting to AD, the only problem is that it was removed at 4.13.0

> 
> In either case will we be able to maintain our current uid/gid
> assignments (which start at 490 and 225 respectively) or does this
> possible 'clash' with system and local accounts cause a problem?

Again this depends, it depends if the local system accounts end before
225. In AD, there are two domains: BUILTIN and DOMAIN (where DOMAIN is
the workgroup name), these are specified in smb.conf as '*' and
'DOMAIN' in the 'idmap config' lines. The '*' domain is used for the
Well Known SIDs (which contains the BUILTIN users & groups) and
anything else that isn't in the 'DOMAIN'. Both of the ranges for the
domains must not overlap, so if the local system users & groups end at
224 and your lowest user or group is 225, then you need lines like
these:

idmap config * : backend = tdb
idmap config * : range = 20000-21000
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 225-10000

NOTE: there are other lines you can use with 'DOMAIN'

> Everywhere I look seems to indicate it is important to have set
> ranges that don't overlap for winbind

They must not overlap and any uidNumber or gidNumber attributes that
are not inside 225-10000 will be ignored.

It will probably help if you read the manpages for idmap_rfc2307 and
idmap_ad

Rowland