[Samba] Moving to AD for idmap backend

Mon Nov 28 18:40:25 UTC 2022

> Hello Samba listers
> 
> We're looking at moving to idmap backend AD for our Samba domain member servers
> 
> One concern I had is our corporation assigns uid for users in one corp sub-domain (A.X.com) interspersed with users from our other corp sub-domain (B.X.com) so that the range must be overlapping
> 
> Some testing by a colleague shows Samba notes the overlap in the log but seems to work fine
> 
> Can someone say if this should be fine, allowing that corp makes sure the uid are all unique in AD?

>> Are you going to be using more of the rfc2307 attributes than 
>> 'uidNumber' and 'gidNumber' ?

>> If not, then I suggest you totally ignore them, use one of the domains 
>> as your main domain and add a trust for the other, then use either the 
>> 'autorid' or 'rid' idmap backend.

Yes, we will need to use shell and homedir too (to support unix and linux shell logins for some users)

So to be clear, corp assigns uid and we must have Samba use these assignments

Some of these uid are even, unfortunately, below 1000 currently

Thanks,

Robert Vaughan

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Monday, November 28, 2022 1:30 PM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Moving to AD for idmap backend

CAUTION EXTERNAL EMAILTHIS EMAIL WAS SENT FROM OUTSIDE GDLS. PLEASE DO NOT OPEN ANY URL LINKS, OPEN ATTACHMENTS OR REPLY TO THIS EMAIL IF YOU ARE UNABLE TO VERIFY THE SENDER’S EMAIL ADDRESS

On 28/11/2022 17:28, Vaughan, Robert J via samba wrote:
> Hello Samba listers
> 
> We're looking at moving to idmap backend AD for our Samba domain member servers
> 
> One concern I had is our corporation assigns uid for users in one corp sub-domain (A.X.com) interspersed with users from our other corp sub-domain (B.X.com) so that the range must be overlapping
> 
> Some testing by a colleague shows Samba notes the overlap in the log but seems to work fine
> 
> Can someone say if this should be fine, allowing that corp makes sure the uid are all unique in AD?

Are you going to be using more of the rfc2307 attributes than 
'uidNumber' and 'gidNumber' ?

If not, then I suggest you totally ignore them, use one of the domains 
as your main domain and add a trust for the other, then use either the 
'autorid' or 'rid' idmap backend.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!BlOwZnr7TA!gHQ0QxavYrtatI4EXuIxhLC9G2vq12RJYbpBluk9zOHT_G1sr-LIRMrJhrrcTaaekhgsHIx9Jyvq9JhO$  

----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information.  No one else may read, print, store, copy, forward or act in reliance on it or its attachments.  If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.