[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend

Thu Apr 27 11:45:07 UTC 2023

On 2023-04-27 02:36, Rowland Penny via samba wrote:
>
>
> On 27/04/2023 01:37, Gary Dale via samba wrote:
>
>>
>> Neither actually addresses the question I raised. Apart from the 
>> administrative policy of using AD for account maintenance, why not 
>> use, for example, 100 as the <gid> or 1000 as a <uid>? If I have to 
>> set the ids manually, I should be able to keep track of them more 
>> easily when they are smaller numbers....  Or do you need to use large 
>> enough numbers so that all the ideas you may ever create will be the 
>> same length?
>
> If you have read the first page I pointed you to, you would have found 
> this:
>
> As you can see from the above, if you are creating a new domain, you 
> shouldn't set either the default domain '*' or the 'SAMDOM' ranges to 
> start at 999 or less, as they would interfere with the local system 
> users & groups.
>
> It then goes on to say:
>
> You also should leave a space for any local Unix users & groups, so 
> starting the 'idmap config' ranges at 3000 seems to be a good compromise.
>
> Local Linux users & groups are just that, LOCAL and shouldn't take 
> part in AD.

Those ideas suggest a complex mixed environment with a lot of Unix and a 
lot of Windows users that need to be managed separately. Moreover, it 
doesn't actually say what goes wrong if a Windows group "interferes" 
with a Unix group. What would happen if, as once was standard practice, 
Domain Users had the same GID as Users - why is "mapping" now forbidden?

I will note that there is already an exception to the rule for 
Administrator, which maps to root.

>
>>
>> Or why not use autorid?
>
> You can use autorid, but it is really meant for multiple domains, you 
> cannot use 'winbind use default domain = yes' with it and you will get 
> different Linux ID's on every Unix domain member you run it on.
> If you do not wish to add anything extra to AD, then I suggest you use 
> the 'rid' backend, you can use 'winbind use default domain = yes' and, 
> provided you use the same basic smb.conf on all Unix domain members, 
> you will get the same ID's.
Still thinking about this. Thanks.
>
>>
>> Another issue that isn't addressed with instructions and an example 
>> is the adding of a GID to the standard domain groups. It seems to be 
>> necessary but the only example doesn't seem to deal with it. An 
>> example showing adding a GID to Domain Users, for example would be 
>> helpful.
>>
>
> samba-tool comes with help, try running 'samba-tool user create 
> --help' or 'samba-tool user addunixattrs --help'
>
Wrong issue. According to the AD backend wiki "If you use the winbind 
'ad' backend, you *must* add a gidNumber attribute to the |Domain Users| 
group in AD". However when you go to 
https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools, 
there are examples for creating a new Unix group and for adding Unix 
attributes to an existing group, but not for the specific and essential 
task of adding a GID to Domain Users.

The example they do give is not really explained. You need to dig a lot 
deeper to discover that "msSFU30NisDomain" is an Active Directory 
attribute. And the option of doing this from the Windows side is 
similarly hard since currently-supported versions of Windows don't have 
"Server for NIS Tools".