On 02/12/14 09:29, Greg Zartman wrote:> > I think I've finally got this all sorted out. After I setup a user using > samba-tool user create, I'll pull the RID for this new user and then set > the UID/GID = RID + 3000. I'll then set xidNumber = UIDNumber(GIDNumber), > as appropriate.I'd recommend using only 1 database for all your users (AD) and leave xidNumber in the independent idmap database and use that only for the builtin groups. That way, your users get replicated with exactly the same attributes to all DCs. idmap is not replicated and so you end up with users only being recognised on the DC which happened to be queried when you created the user. In all cases ever know to mankind, that's a mess. Stick to AD if you possibly can. Windows does. HTH, Steve
Rowland Penny
2014-Dec-02 19:15 UTC
[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)
On 02/12/14 18:47, steve wrote:> On 02/12/14 09:29, Greg Zartman wrote: > >> >> I think I've finally got this all sorted out. After I setup a user >> using >> samba-tool user create, I'll pull the RID for this new user and then set >> the UID/GID = RID + 3000. I'll then set xidNumber = >> UIDNumber(GIDNumber), >> as appropriate. > > I'd recommend using only 1 database for all your users (AD) and leave > xidNumber in the independent idmap database and use that only for the > builtin groups. That way, your users get replicated with exactly the > same attributes to all DCs. idmap is not replicated and so you end up > with users only being recognised on the DC which happened to be > queried when you created the user. In all cases ever know to mankind, > that's a mess. Stick to AD if you possibly can. Windows does. > HTH, > Steve >Doh, I missed that, well spotted Steve. Do not alter idmap.ldb, leave it alone, use RFC2307 attributes where possible and join my campaign to get winbindd to pull all the attributes :-D Rowland
Greg Zartman
2014-Dec-02 19:24 UTC
[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)
On Tue, Dec 2, 2014 at 11:15 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:> >> Doh, I missed that, well spotted Steve. > > Do not alter idmap.ldb, leave it alone, use RFC2307 attributes where > possible and join my campaign to get winbindd to pull all the attributes :-D >So, the xidNumber isn't needed? I'm going to be use SSSD for local auth, which pulls uidNumber from the AD, but didn't know if something else uses xidNumber Greg