[Samba] [EXT] Re: Samba 4 without winbind

Shannon Price pricesw at auburn.edu
Mon Sep 19 22:23:38 UTC 2022 

I don't think there is hope for getting access to the domain delegation - that would be like moving mountains with so many cooks in the kitchen. We can't move the users either since University students are shared by the whole University, not a single college.  Turns out central campus has been using a commercial product - BeyondTrust - AD-Bridge for some of their authentication issues. Do you know anything about that product and how it fits in?

The user and group idmap settings are getting very close. I think they're working actually. I can map to a share that is protected by an AD security group right now.  This is great progress.

But now - when my folder still has Unix perms on it and the group ownership is a NIS group, I have problems: If the folder is 770, I can't chdir into it, so the mount fails.  If I change the perms to 775, I can mount it, but I don't have my regular NIS permission inside the folder.

Does this mean that a full-blown changeover from NIS permissions to the idmap IDs using AD is going to be the only path? That's a monumental and disruptive conversion.

--
Shannon  

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Monday, September 19, 2022 2:44 PM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] [EXT] Re: Samba 4 without winbind



On 19/09/2022 20:22, Shannon Price wrote:
> 
> I think the "ad" backend would work for me if I had access to the domain controllers, which I do not. This makes the path out of our antiquated setup much more complicated. It turns out that campus is using an AD-bridge product from BeyondTrust for the last 10 years.

Then you need to talk to the Windows admins about adding the rfc2307 attributes to your AD users and groups, they are all standard in the AD schema, you do not need to extend the schema. Can they not delegate permission to allow you to do this to your users and groups or move your users & groups to an OU you can control ?

> 
> The groups are in AD.  I can query my group membership with wbinfo --user-groups="DOMAIN\\username".  None of the groups are above 999999.  Some are over 930000, however which with the calculation below, puts some over 999999.

If the upper range is too low, then just add another '9' to it and restart the Samba daemons.

   I had the idmap ranges lower but the "idmap config *:range" said it was too full when it was set to 3000-7999.

The default (*) range is meant for the Well Known Sids (which there are less than 200) and anything outside the 'DOMAIN' domain, so I think it might be trying to pull in the entire forest.

   Leaving out the "*" idmap also generated a complaint, since your rid example included it, I left it in.

You really need it, see above.

> 
>          winbind enum users = yes
>          winbind enum groups = yes

Only use those for testing, they just slow things down and winbind will work without them.

>          winbind nested groups = yes

That is the default

>          winbind expand groups = 3

You shouldn't need that, but be aware that the higher the number, the slower things will be.

> 
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-60000
>          idmap config DOMAIN : backend = rid
>          idmap config DOMAIN : range = 70000-999999

If that is what works for you.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=05%7C01%7Cpricesw%40auburn.edu%7Cc6c8dbd0b5e44b3e246b08da9a7754de%7Cccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637992134566420405%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nwjgUEQH%2FVip3zVRsBt%2F9%2BhOZxajf4Tb4TrUnRnrZGg%3D&reserved=0

More information about the samba mailing list