[Samba] Moving to AD for idmap backend
Rowland Penny
rpenny at samba.org
Mon Nov 28 18:58:53 UTC 2022
On 28/11/2022 18:40, Vaughan, Robert J via samba wrote:
>> Hello Samba listers
>>
>> We're looking at moving to idmap backend AD for our Samba domain member servers
>>
>> One concern I had is our corporation assigns uid for users in one corp sub-domain (A.X.com) interspersed with users from our other corp sub-domain (B.X.com) so that the range must be overlapping
>>
>> Some testing by a colleague shows Samba notes the overlap in the log but seems to work fine
>>
>> Can someone say if this should be fine, allowing that corp makes sure the uid are all unique in AD?
>
>>> Are you going to be using more of the rfc2307 attributes than
>>> 'uidNumber' and 'gidNumber' ?
>
>>> If not, then I suggest you totally ignore them, use one of the domains
>>> as your main domain and add a trust for the other, then use either the
>>> 'autorid' or 'rid' idmap backend.
>
> Yes, we will need to use shell and homedir too (to support unix and linux shell logins for some users)
Oh well.
>
> So to be clear, corp assigns uid and we must have Samba use these assignments
To be clear, whoever thought up the idea of assigning the uidNumber &
gidNumber attributes for two domains from the same pool is, in my
opinion, an idiot. Not even Windows does this, every DC has its own RID
pool, you can look at a RID and know on which DC it was created.
>
> Some of these uid are even, unfortunately, below 1000 currently
A really BIG idiot, didn't they have any idea about Unix ?
The problem is that you shouldn't overlap domain ranges, which you are
going to have to and this will lead to a collision somewhere down the
line when a user or group is created at the same time as another and
they both get the same ID number (yes it will happen, it is not case of
if, it is when).
I cannot recommend your set up, but it may be the only way, unless you
can change the way that the rfc2307 attributes are allocated and, from
the sound of it, it isn't going to happen.
Rowland
More information about the samba
mailing list