[Samba] [EXT] Re: Samba 4 without winbind

Rowland Penny rpenny at samba.org
Mon Sep 19 19:43:46 UTC 2022 


On 19/09/2022 20:22, Shannon Price wrote:
> 
> I think the "ad" backend would work for me if I had access to the domain controllers, which I do not. This makes the path out of our antiquated setup much more complicated. It turns out that campus is using an AD-bridge product from BeyondTrust for the last 10 years.

Then you need to talk to the Windows admins about adding the rfc2307 
attributes to your AD users and groups, they are all standard in the AD 
schema, you do not need to extend the schema. Can they not delegate 
permission to allow you to do this to your users and groups or move your 
users & groups to an OU you can control ?

> 
> The groups are in AD.  I can query my group membership with wbinfo --user-groups="DOMAIN\\username".  None of the groups are above 999999.  Some are over 930000, however which with the calculation below, puts some over 999999.

If the upper range is too low, then just add another '9' to it and 
restart the Samba daemons.

   I had the idmap ranges lower but the "idmap config *:range" said it 
was too full when it was set to 3000-7999.

The default (*) range is meant for the Well Known Sids (which there are 
less than 200) and anything outside the 'DOMAIN' domain, so I think it 
might be trying to pull in the entire forest.

   Leaving out the "*" idmap also generated a complaint, since your rid 
example included it, I left it in.

You really need it, see above.

> 
>          winbind enum users = yes
>          winbind enum groups = yes

Only use those for testing, they just slow things down and winbind will 
work without them.

>          winbind nested groups = yes

That is the default

>          winbind expand groups = 3

You shouldn't need that, but be aware that the higher the number, the 
slower things will be.

> 
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-60000
>          idmap config DOMAIN : backend = rid
>          idmap config DOMAIN : range = 70000-999999

If that is what works for you.

Rowland

More information about the samba mailing list