BISI
2015-Jan-17 04:18 UTC
[Samba] clarification regarding RFC2307 winbind backend, please
Can someone please clarify the scope of the remarks in this wiki page: https://wiki.samba.org/index.php/RFC2307_backend specifically, can you confirm that the following applies only to a Member Server, (not the DC)? https://wiki.samba.org/index.php/RFC2307_backend#Configuring_RFC2307_backend_for_Winbind> Configuring RFC2307 backend for Winbind > > Add the following to the [global] section of your smb.conf: > > # Important: The ranges of the default (*) backend > # and the domain(s) must not overlap! > > # Retrieve UIDs/GIDs for domain SAMDOM from AD, via RFC2307. > # The range value defines the lowest RID up to the highest, > # that will ever be used in this domain. Ask your AD Domain > # Administrator, if you don't know which range to define. > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10001-40000 > > # Store UIDs/GIDs for all other domains (including local > # accounts/groups of this server) in a tdb file > idmap config *:backend = tdb > idmap config *:range = 50001-60000 > > # Use home directory and shell information from AD > winbind nss info = rfc2307Also does anyone have any idea why 10001 was chosen as the start of the range? Since the default starting ID on the DC (both a Microsoft server and Samba DC) is 10000, this seems incongruous. As a related issue (depending on the answer to the above), if anyone has wiki-editing privileges, and knows the RFC2307 "ropes", perhaps you could fix the AD_member_server page which shows what seems to me to be a poor choice of ranges for the basic smb.conf file. https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server> Set up a basic smb.conf > > Usually this file is located in /usr/local/samba/etc/.> Depending on your 'configure' parameters, or if you are using a > distro/Sernet package, it could be in a different location:> > [global] > > netbios name = Member1 > workgroup = SAMDOM > security = ADS > realm = SAMDOM.EXAMPLE.COM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 500-40000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = YesCheers! d.
Rowland Penny
2015-Jan-17 08:27 UTC
[Samba] clarification regarding RFC2307 winbind backend, please
On 17/01/15 04:18, BISI wrote:> Can someone please clarify the scope of the remarks in this wiki page: > https://wiki.samba.org/index.php/RFC2307_backend > > specifically, can you confirm that the following applies only to a > Member Server, (not the DC)? > > https://wiki.samba.org/index.php/RFC2307_backend#Configuring_RFC2307_backend_for_Winbind >Yes, you should only use this set up on a member server> >> Configuring RFC2307 backend for Winbind >> >> Add the following to the [global] section of your smb.conf: >> >> # Important: The ranges of the default (*) backend >> # and the domain(s) must not overlap! >> >> # Retrieve UIDs/GIDs for domain SAMDOM from AD, via RFC2307. >> # The range value defines the lowest RID up to the highest, >> # that will ever be used in this domain. Ask your AD Domain >> # Administrator, if you don't know which range to define. >> idmap config SAMDOM:backend = ad >> idmap config SAMDOM:schema_mode = rfc2307 >> idmap config SAMDOM:range = 10001-40000 >> >> # Store UIDs/GIDs for all other domains (including local >> # accounts/groups of this server) in a tdb file >> idmap config *:backend = tdb >> idmap config *:range = 50001-60000 >> >> # Use home directory and shell information from AD >> winbind nss info = rfc2307 > > Also does anyone have any idea why 10001 was chosen as the start of > the range? Since the default starting ID on the DC (both a Microsoft > server and Samba DC) is 10000, this seems incongruous. >No idea, but I have changed it to 10000> > As a related issue (depending on the answer to the above), if anyone > has wiki-editing privileges, and knows the RFC2307 "ropes", perhaps > you could fix the AD_member_server page which shows what seems to me > to be a poor choice of ranges for the basic smb.conf file. > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> Set up a basic smb.conf >> >> Usually this file is located in /usr/local/samba/etc/. > > Depending on your 'configure' parameters, or if you are using a > > distro/Sernet package, it could be in a different location: >> >> [global] >> >> netbios name = Member1 >> workgroup = SAMDOM >> security = ADS >> realm = SAMDOM.EXAMPLE.COM >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config *:backend = tdb >> idmap config *:range = 70001-80000 >> idmap config SAMDOM:backend = ad >> idmap config SAMDOM:schema_mode = rfc2307 >> idmap config SAMDOM:range = 500-40000 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes > > Cheers! > d. >What ranges would you suggest ? Rowland