[Samba] [EXT] Re: Samba 4 without winbind
rpenny at samba.org
Mon Sep 19 19:43:46 UTC 2022
On 19/09/2022 20:22, Shannon Price wrote:
> I think the "ad" backend would work for me if I had access to the domain controllers, which I do not. This makes the path out of our antiquated setup much more complicated. It turns out that campus is using an AD-bridge product from BeyondTrust for the last 10 years.
Then you need to talk to the Windows admins about adding the rfc2307
attributes to your AD users and groups, they are all standard in the AD
schema, you do not need to extend the schema. Can they not delegate
permission to allow you to do this to your users and groups or move your
users & groups to an OU you can control ?
> The groups are in AD. I can query my group membership with wbinfo --user-groups="DOMAIN\\username". None of the groups are above 999999. Some are over 930000, however which with the calculation below, puts some over 999999.
If the upper range is too low, then just add another '9' to it and
restart the Samba daemons.
I had the idmap ranges lower but the "idmap config *:range" said it
was too full when it was set to 3000-7999.
The default (*) range is meant for the Well Known Sids (which there are
less than 200) and anything outside the 'DOMAIN' domain, so I think it
might be trying to pull in the entire forest.
Leaving out the "*" idmap also generated a complaint, since your rid
example included it, I left it in.
You really need it, see above.
> winbind enum users = yes
> winbind enum groups = yes
Only use those for testing, they just slow things down and winbind will
work without them.
> winbind nested groups = yes
That is the default
> winbind expand groups = 3
You shouldn't need that, but be aware that the higher the number, the
slower things will be.
> idmap config * : backend = tdb
> idmap config * : range = 3000-60000
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 70000-999999
If that is what works for you.
More information about the samba