[Samba] [EXT] Re: Samba 4 without winbind

[Shannon Price]

I think the "ad" backend would work for me if I had access to the domain controllers, which I do not. This makes the path out of our antiquated setup much more complicated. It turns out that campus is using an AD-bridge product from BeyondTrust for the last 10 years.

The groups are in AD.  I can query my group membership with wbinfo --user-groups="DOMAIN\\username".  None of the groups are above 999999.  Some are over 930000, however which with the calculation below, puts some over 999999.  I had the idmap ranges lower but the "idmap config *:range" said it was too full when it was set to 3000-7999.  Leaving out the "*" idmap also generated a complaint, since your rid example included it, I left it in.

        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        winbind expand groups = 3

        idmap config * : backend = tdb
        idmap config * : range = 3000-60000
        idmap config DOMAIN : backend = rid
        idmap config DOMAIN : range = 70000-999999

--
Shannon

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Monday, September 19, 2022 12:53 PM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: [EXT] Re: [Samba] Samba 4 without winbind

CAUTION: Email Originated Outside of Auburn.


On 19/09/2022 18:17, Shannon Price via samba wrote:
> 
> I've had some progress on this using autorid and rid.  A few issues however.
> 
> My home directory and other folders grant permissions to my NIS UID, but with Winbind, my files are written using the UID that was generated by idmap, so files I write have a different owner or I don't have permission at all to write to existing folders.

Yes, I expected this, which is why I tried to steer you to the 'ad' 
backend where you can set the NIS user ID as the users uidNumber attribute (the same goes for groups, but you would the groups NIS ID for the groups gidNumber attribute)
> 
> Winbind doesn't recognize all of my group memberships (even for non-nested groups). I can query specific groups via wbinfo and see my name in the group, but when I restrict a share using a flat AD group, it does not give me access. If I share using "Domain Users", this works.

Are these groups in AD ? I ask because winbind will ignore any groups that are not in AD and any that are outside the range set in smb.conf

I used '10000-999999' in my examples, so any group ID that is larger than '999999' will be ignored. The 'rid' backend idmap ID is calculated like this:

ID = RID + LOW_RANGE_ID

So if the groups RID is 11107, this would be

21107 = 11107 + 10000

The same calculation is used for users and 'autorid' works in much the same way, but it uses a different calculation using the RID.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=05%7C01%7Cpricesw%40auburn.edu%7Ca4eca0a72efd473d36ff08da9a67f1a1%7Cccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637992068475073648%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XwrKIkWcx5%2BNU2NhnrUpuowu50aCAuI6U4LT4r8a9g8%3D&reserved=0