[Samba] idmap ad question

Vaughan, Robert J vaughar2 at gdls.com
Tue Feb 14 13:59:39 UTC 2023 

On 14/02/2023 11:41, Vaughan, Robert J via samba wrote:

> I am the UNIX admin and don't have a use for all domain users group since all domain users won't be UNIX (or SAMBA) users

>>Your decision.

> 
> What do you mean by "It isn't as if you can have a user group with the same name as the user"?  We currently do have group names in UNIX (local and in LDAP) that are the same as a user (not a real person, but a shared/admin type account for an application) - is there some problem for AD with that?  I >thought all it cared about was the SID?

>>In AD, all names must be unique, you cannot have a user called 'fred' 
>>and a group called 'fred'

>>You also shouldn't have a local Unix user (one in /etc/passwd) called 
>>'fred' and another user in AD called 'fred'. Depending on where 
>>'winbind' appears in the passwd line in /etc/nsswitch will decide which 
>>user will be used, they will never be the same user.

>>If you do want usergroups, then there is only one way, use the 'rid' 
>>idmap backend and you will get synthetic usergroups, the group isn't 
>>stored anywhere, the 'rid' idmap backend creates it on the fly.
>>The downside of using the 'rid' idmap backend is, every AD user and 
>>group becomes a Unix user or group.

We created the groups we have in UNIX LDAP in AD, gave them the same gidNumber, this seems to work?

>>Now, can I ask what you are actually trying to achieve ?
>>What is the application ?

We will be migrating our UNIX LDAP to AD.  Our UNIX LDAP is used by a few Windows users for shell logins, and by quite a few for SAMBA.  Our environment is Solaris and Red Hat, with Solaris being replaced by Red Hat.

The users don't have Linux workstations

Right now production is still using UNIX LDAP

AD DC are all Windows and managed by another team.  All the users use AD for their Windows client.

All users are assigned UID by the corp

I am testing a Red Hat SAMBA domain member in two modes (via snapshots I can switch back and forth), one with winbind only, and one with winbind using sssd

Thanks,

Robert Vaughan

----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information.  No one else may read, print, store, copy, forward or act in reliance on it or its attachments.  If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.

More information about the samba mailing list