samba - Jan 2015 - clarification regarding RFC2307 winbind backend, please

Can someone please clarify the scope of the remarks in this wiki page:
https://wiki.samba.org/index.php/RFC2307_backend

specifically, can you confirm that the following applies only to a 
Member Server, (not the DC)?

https://wiki.samba.org/index.php/RFC2307_backend#Configuring_RFC2307_backend_for_Winbind
>  Configuring RFC2307 backend for Winbind
>
> Add the following to the [global] section of your smb.conf:
>
>   # Important: The ranges of the default (*) backend
>   # and the domain(s) must not overlap!
>
>   # Retrieve UIDs/GIDs for domain SAMDOM from AD, via RFC2307.
>   # The range value defines the lowest RID up to the highest,
>   # that will ever be used in this domain. Ask your AD Domain
>   # Administrator, if you don't know which range to define.
>   idmap config SAMDOM:backend = ad
>   idmap config SAMDOM:schema_mode = rfc2307
>   idmap config SAMDOM:range = 10001-40000
>
>   # Store UIDs/GIDs for all other domains (including local
>   # accounts/groups of this server) in a tdb file
>   idmap config *:backend = tdb
>   idmap config *:range = 50001-60000
>
>   # Use home directory and shell information from AD
>   winbind nss info = rfc2307
Also does anyone have any idea why 10001 was chosen as the start of the 
range?  Since the default starting ID on the DC (both a Microsoft server 
and Samba DC) is 10000, this seems incongruous.


As a related issue (depending on the answer to the above), if anyone has 
wiki-editing privileges, and knows the RFC2307 "ropes", perhaps you 
could fix the AD_member_server page which shows what seems to me to be a 
poor choice of ranges for the basic smb.conf file.

   
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>  Set up a basic smb.conf
>
> Usually this file is located in /usr/local/samba/etc/.
 > Depending on your 'configure' parameters, or if you are using a
 > distro/Sernet package, it could be in a different
location:
>
> [global]
>
>    netbios name = Member1
>    workgroup = SAMDOM
>    security = ADS
>    realm = SAMDOM.EXAMPLE.COM
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config SAMDOM:backend = ad
>    idmap config SAMDOM:schema_mode = rfc2307
>    idmap config SAMDOM:range = 500-40000
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
Cheers!
d.

On 17/01/15 04:18, BISI wrote:
> Can someone please clarify the scope of the remarks in this wiki page:
> https://wiki.samba.org/index.php/RFC2307_backend
>
> specifically, can you confirm that the following applies only to a 
> Member Server, (not the DC)?
>
>
https://wiki.samba.org/index.php/RFC2307_backend#Configuring_RFC2307_backend_for_Winbind
>
Yes, you should only use this set up on a member server
>
>>  Configuring RFC2307 backend for Winbind
>>
>> Add the following to the [global] section of your smb.conf:
>>
>>   # Important: The ranges of the default (*) backend
>>   # and the domain(s) must not overlap!
>>
>>   # Retrieve UIDs/GIDs for domain SAMDOM from AD, via RFC2307.
>>   # The range value defines the lowest RID up to the highest,
>>   # that will ever be used in this domain. Ask your AD Domain
>>   # Administrator, if you don't know which range to define.
>>   idmap config SAMDOM:backend = ad
>>   idmap config SAMDOM:schema_mode = rfc2307
>>   idmap config SAMDOM:range = 10001-40000
>>
>>   # Store UIDs/GIDs for all other domains (including local
>>   # accounts/groups of this server) in a tdb file
>>   idmap config *:backend = tdb
>>   idmap config *:range = 50001-60000
>>
>>   # Use home directory and shell information from AD
>>   winbind nss info = rfc2307
>
> Also does anyone have any idea why 10001 was chosen as the start of 
> the range?  Since the default starting ID on the DC (both a Microsoft 
> server and Samba DC) is 10000, this seems incongruous.
>
No idea, but I have changed it to 10000
>
> As a related issue (depending on the answer to the above), if anyone 
> has wiki-editing privileges, and knows the RFC2307 "ropes",
perhaps
> you could fix the AD_member_server page which shows what seems to me 
> to be a poor choice of ranges for the basic smb.conf file.
>
>    https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>  Set up a basic smb.conf
>>
>> Usually this file is located in /usr/local/samba/etc/.
> > Depending on your 'configure' parameters, or if you are using
a
> > distro/Sernet package, it could be in a different location:
>>
>> [global]
>>
>>    netbios name = Member1
>>    workgroup = SAMDOM
>>    security = ADS
>>    realm = SAMDOM.EXAMPLE.COM
>>    dedicated keytab file = /etc/krb5.keytab
>>    kerberos method = secrets and keytab
>>
>>    idmap config *:backend = tdb
>>    idmap config *:range = 70001-80000
>>    idmap config SAMDOM:backend = ad
>>    idmap config SAMDOM:schema_mode = rfc2307
>>    idmap config SAMDOM:range = 500-40000
>>
>>    winbind nss info = rfc2307
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users  = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = Yes
>
> Cheers!
> d.
>
What ranges would you suggest ?

Rowland