[Samba] Samba 4 without winbind

Shannon Price pricesw at auburn.edu
Mon Sep 19 17:17:11 UTC 2022 

I've had some progress on this using autorid and rid.  A few issues however.

My home directory and other folders grant permissions to my NIS UID, but with Winbind, my files are written using the UID that was generated by idmap, so files I write have a different owner or I don't have permission at all to write to existing folders.  

Winbind doesn't recognize all of my group memberships (even for non-nested groups). I can query specific groups via wbinfo and see my name in the group, but when I restrict a share using a flat AD group, it does not give me access. If I share using "Domain Users", this works.

--
Shannon

-----Original Message-----
From: Rowland Penny <rpenny at samba.org> 
Sent: Sunday, September 18, 2022 11:16 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4 without winbind



On 18/09/2022 16:46, Shannon Price via samba wrote:
> 
> Thank you for the response, Rowland.  Very helpful and we would like to move to a more modern setup.
> 
> Your suggestion to move to AD means getting rid of NIS, correct?  Using the users and groups from AD rather than NIS.  I agree that this would be a better place to be, but have never been clear about the transition since our infrastructure has been based on NIS for so long. Can I simply run some Samba servers in the old style while converting others to all AD? Because of NFS back-end, our multiple Samba servers can serve the same files - \\SAMBA1\homes and \\SAMBA2\homes can all find my home directory.  I think that Winbind handles the ID mapping between SIDs and UIDs, but I have not idea how that would work across multiple Samba servers doing things differently.
> 
> --
> Shannon
> 
>
Samba provides several different ways of mapping AD users & groups to Unix ID's, the main ones are the 'autorid', 'rid' and 'ad' backends.

'autorid' is the easiest to set up, you just add a couple of lines to the smb.conf:

idmap config * : backend = autorid
idmap config * : range = 10000-9999999

'rid' is very similar:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-999999

Neither of the above requires adding anything to AD, the first calculates the Unix ID from the Windows RID and allows multiple domains without any further lines. The second again works in a similar way, but is only used for a single domain, you can add further 'DOMAIN' lines for trusted domains.

'ad' works differently, but uses lines very similar to the 'rid' variant (and you can add multiple domains like the 'rid' backend), there is one big difference, you must add rfc2307 attributes to AD. This may be a way out of your difficulties, NIS will have its own ID's and you should be able to use these for your user & group uidNumber & gidNumber attributes.

Which ever backend you use, if you use the same basic smb.conf on every Unix machine, you will always get the same ID's. You should also be aware that you cannot have the same username or group name in /etc/passwd & /etc/group that also exists in AD, the former will always be used first. My advice would be to just have users & groups in AD, apart for one or two local Unix Admins, just in case anything goes wrong.

If you require any further information, just ask.

Rowland

More information about the samba mailing list