Stéphane PURNELLE
2015-Aug-02 16:31 UTC
[Samba] Question about samba 4 member server of a pure Windows AD
Hi,
I don't think that rid backend will work, because when we start samba
(samab 2.2.8a) lower uid was 1000, but when we moved to samba 4, power uid
was put to 10000.
That's mean new user and group use uidNUmber or groupNUmber > 10000. But
we have old account and group with uid or gid < 10000
regards
Stéphane Purnelle
"samba" <samba-bounces at lists.samba.org> a écrit sur
31/07/2015 22:42:23 :
> De : Rowland Penny <rowlandpenny241155 at gmail.com>
> A : samba at lists.samba.org,
> Date : 31/07/2015 22:51
> Objet : Re: [Samba] Question about samba 4 member server of a pure
Windows AD> Envoyé par : "samba" <samba-bounces at lists.samba.org>
>
> On 31/07/15 20:43, Stéphane PURNELLE wrote:
> > Hi,
> >
> > Actually, we have a samba 4 AD DC and 2 samba 4 AD member server as
> > file-server.
> > But my company is member of a group who have i proper AD (A windows AD
> > server)
> >
> > I don't know if the windows AD has implemented rfc2307 and if the
sysadmin> > of the windows AD can add rfc2307.
> >
> > I just would like to know if there are alternative for have uid
<> sid
> > mapping without rfc2307.
> > LIke extract uid from windows SID (based on algorithm uid = uid*2 +
1000> > or something like this)
> >
> > thank you for your help
> >
> > Stéphane Purnelle
>
> Yes, it is called the 'rid' backend, see 'man idmap_rid'
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Aug-02 18:17 UTC
[Samba] Question about samba 4 member server of a pure Windows AD
On 02/08/15 17:31, Stéphane PURNELLE wrote:> Hi, > > I don't think that rid backend will work, because when we start samba > (samab 2.2.8a) lower uid was 1000, but when we moved to samba 4, power uid > was put to 10000. > That's mean new user and group use uidNUmber or groupNUmber > 10000. But > we have old account and group with uid or gid < 10000 > > > regards > > Stéphane Purnelle > > > "samba" <samba-bounces at lists.samba.org> a écrit sur 31/07/2015 22:42:23 : > >> De : Rowland Penny <rowlandpenny241155 at gmail.com> >> A : samba at lists.samba.org, >> Date : 31/07/2015 22:51 >> Objet : Re: [Samba] Question about samba 4 member server of a pure > Windows AD >> Envoyé par : "samba" <samba-bounces at lists.samba.org> >> >> On 31/07/15 20:43, Stéphane PURNELLE wrote: >>> Hi, >>> >>> Actually, we have a samba 4 AD DC and 2 samba 4 AD member server as >>> file-server. >>> But my company is member of a group who have i proper AD (A windows AD >>> server) >>> >>> I don't know if the windows AD has implemented rfc2307 and if the > sysadmin >>> of the windows AD can add rfc2307. >>> >>> I just would like to know if there are alternative for have uid <> sid >>> mapping without rfc2307. >>> LIke extract uid from windows SID (based on algorithm uid = uid*2 + > 1000 >>> or something like this) >>> >>> thank you for your help >>> >>> Stéphane Purnelle >> Yes, it is called the 'rid' backend, see 'man idmap_rid' >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/sambaIf you use the rid backend, any uidNumbers & gidNumbers in AD are ignored, the users UID will be calculated from this: ID = RID - BASE_RID + LOW_RANGE_ID So if you have two users with the RIDs of 9999 & 10001, their UIDs would be this (note BASE_RID is 0 unless set in smb.conf), LOW_RANGE_ID would be set to 3000 UID = 9999 - 0 + 3000 Which would become: UID = 12999 UID = 10001 - 0 + 3000 Which would become: UID = 13001 These are just a couple of examples, from which I hope you can see, provide you set the LOW_RANGE_ID lower than your lowest RID, it should work, of course you will probably have to set the builtin range way above your workgroup range. Rowland
Stéphane PURNELLE
2015-Aug-03 07:43 UTC
[Samba] Question about samba 4 member server of a pure Windows AD
Hi,
A account created with samba3/ldap (created before 2014-02-20):
SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3216
UidNumber : 1108
A account created with Users and computers (samba 4 AD DC)
SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-5878
uidNumber : 10023
My actual config (in file-server) :
idmap config XXXXXX:backend = ad
idmap config XXXXXX:schema_mode = rfc2307
idmap config XXXXXX:range = 1005-40000
If I apply RID backend :
ID = RID - BASE_RID + LOW_RANGE_ID.
For the first account :
3216 - 0 + 1005 = 4221 => bad must be 1108
For the latest created account :
5878 - 0 + 1005 = 6883 => bad must be 10023
if generated uidNumber not the same that actual uidNumber, I will lose my
ACL.
regards
Stéphane Purnelle
De : Rowland Penny <rowlandpenny241155 at gmail.com>
A : samba at lists.samba.org,
Date : 02/08/2015 20:27
Objet : Re: [Samba] Question about samba 4 member server of a pure Windows
AD
Envoyé par : "samba" <samba-bounces at lists.samba.org>
On 02/08/15 17:31, Stéphane PURNELLE wrote:> Hi,
>
> I don't think that rid backend will work, because when we start samba
> (samab 2.2.8a) lower uid was 1000, but when we moved to samba 4, power
uid> was put to 10000.
> That's mean new user and group use uidNUmber or groupNUmber > 10000.
But
> we have old account and group with uid or gid < 10000
>
>
> regards
>
> Stéphane Purnelle
>
>
> "samba" <samba-bounces at lists.samba.org> a écrit sur
31/07/2015 22:42:23
:>
>> De : Rowland Penny <rowlandpenny241155 at gmail.com>
>> A : samba at lists.samba.org,
>> Date : 31/07/2015 22:51
>> Objet : Re: [Samba] Question about samba 4 member server of a pure
> Windows AD
>> Envoyé par : "samba" <samba-bounces at lists.samba.org>
>>
>> On 31/07/15 20:43, Stéphane PURNELLE wrote:
>>> Hi,
>>>
>>> Actually, we have a samba 4 AD DC and 2 samba 4 AD member server as
>>> file-server.
>>> But my company is member of a group who have i proper AD (A windows
AD
>>> server)
>>>
>>> I don't know if the windows AD has implemented rfc2307 and if
the
> sysadmin
>>> of the windows AD can add rfc2307.
>>>
>>> I just would like to know if there are alternative for have uid
<> sid
>>> mapping without rfc2307.
>>> LIke extract uid from windows SID (based on algorithm uid = uid*2 +
> 1000
>>> or something like this)
>>>
>>> thank you for your help
>>>
>>> Stéphane Purnelle
>> Yes, it is called the 'rid' backend, see 'man
idmap_rid'
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
If you use the rid backend, any uidNumbers & gidNumbers in AD are
ignored, the users UID will be calculated from this: ID = RID - BASE_RID
+ LOW_RANGE_ID
So if you have two users with the RIDs of 9999 & 10001, their UIDs would
be this (note BASE_RID is 0 unless set in smb.conf), LOW_RANGE_ID would
be set to 3000
UID = 9999 - 0 + 3000
Which would become: UID = 12999
UID = 10001 - 0 + 3000
Which would become: UID = 13001
These are just a couple of examples, from which I hope you can see,
provide you set the LOW_RANGE_ID lower than your lowest RID, it should
work, of course you will probably have to set the builtin range way
above your workgroup range.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba