samba - Jan 2019 - idmap config ad

Trying to use the idmap config ad on a domain member. The AD is an
actual Windows server and when logged in the AD server running ADUC
the NIS domain field on the UNIX attributes tab only shows a dash and
is cannot be changed.

Domain member is RHEL 7.6 running Samba 4.8.3.

Pertinent part of smb.conf:
====================================[global]
        security = ADS
        workgroup = MYDOMAIN
        realm = MYDOMAIN.LOCAL
        server string = mydomain

        kerberos method = secrets and keytab
        winbind refresh tickets = yes

        idmap config * : backend = tdb
        idmap config * : range = 3000-8999
        idmap config MYDOMAIN : backend = ad
        idmap config MYDOMAIN : schema_mode = rfc2307
        idmap config MYDOMAIN : range = 10000-99999
        idmap config MYDOMAIN : unix_nss_info = yes

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
====================================
The documentation seems to strictly point to using a Samba AD with the
RSAT utility and here we're logged right on to the Windows AD using
the native ADUC application.

Thanks for any assistance!

Chris

On Mon, 28 Jan 2019 09:10:58 -0500
Sonic via samba <samba at lists.samba.org> wrote:
> Trying to use the idmap config ad on a domain member. The AD is an
> actual Windows server and when logged in the AD server running ADUC
> the NIS domain field on the UNIX attributes tab only shows a dash and
> is cannot be changed.
Does Domain Users have a gidNumber attribute containing a number
inside the 10000-99999' range ?

Do any Active directory groups have such a gidNumber ?
> 
> Domain member is RHEL 7.6 running Samba 4.8.3.
> 
> Pertinent part of smb.conf:
> ====================================> [global]
>         security = ADS
>         workgroup = MYDOMAIN
>         realm = MYDOMAIN.LOCAL
>         server string = mydomain
> 
>         kerberos method = secrets and keytab
>         winbind refresh tickets = yes
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-8999
>         idmap config MYDOMAIN : backend = ad
>         idmap config MYDOMAIN : schema_mode = rfc2307
>         idmap config MYDOMAIN : range = 10000-99999
>         idmap config MYDOMAIN : unix_nss_info = yes
> 
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
> ====================================> 
> The documentation seems to strictly point to using a Samba AD with the
> RSAT utility and here we're logged right on to the Windows AD using
> the native ADUC application.
ADUC is part of RSAT and the Samba 'ad' backend works in the same way
that the Unix Attributes tab dows.

Rowland

On 28.01.2019 15:27, Rowland Penny via samba wrote:
> On Mon, 28 Jan 2019 09:10:58 -0500
> Sonic via samba <samba at lists.samba.org> wrote:
>
>> Trying to use the idmap config ad on a domain member. The AD is an
>> actual Windows server and when logged in the AD server running ADUC
>> the NIS domain field on the UNIX attributes tab only shows a dash and
>> is cannot be changed.
> Does Domain Users have a gidNumber attribute containing a number
> inside the 10000-99999' range ?
>
> Do any Active directory groups have such a gidNumber ?
>
>> Domain member is RHEL 7.6 running Samba 4.8.3.
>>
>> Pertinent part of smb.conf:
>> ====================================>> [global]
>>          security = ADS
>>          workgroup = MYDOMAIN
>>          realm = MYDOMAIN.LOCAL
>>          server string = mydomain
>>
>>          kerberos method = secrets and keytab
>>          winbind refresh tickets = yes
>>
>>          idmap config * : backend = tdb
>>          idmap config * : range = 3000-8999
>>          idmap config MYDOMAIN : backend = ad
>>          idmap config MYDOMAIN : schema_mode = rfc2307
>>          idmap config MYDOMAIN : range = 10000-99999
>>          idmap config MYDOMAIN : unix_nss_info = yes
>>
>>          vfs objects = acl_xattr
>>          map acl inherit = yes
>>          store dos attributes = yes
>> ====================================>>
>> The documentation seems to strictly point to using a Samba AD with the
>> RSAT utility and here we're logged right on to the Windows AD using
>> the native ADUC application.
> ADUC is part of RSAT and the Samba 'ad' backend works in the same
way
> that the Unix Attributes tab dows.
>
> Rowland
Hi Rowland,

I read this post and started wondering myself. If the DC is a Windows 
one, then I assume uid and gid creation is being handled automatically 
by Windows Server. If that's correct, then I assume the ad backend is 
the best one to use as the disadvantages mentioned in the wiki all 
disappear, leaving only advantages. So, one only had to make sure that 
the uids and gids created in the AD are within the range mentioned in 
the smb.conf. Which begs the question, is it possible to influence this?

Viktor

On Mon, Jan 28, 2019 at 9:28 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
> Does Domain Users have a gidNumber attribute containing a number
> inside the 10000-99999' range ?
>
> Do any Active directory groups have such a gidNumber ?
Hi Rowland,

Not at this time, I didn't know that had to be assigned first.

However, that brings up another question. There's an application that
both AD authenticated Samba users and non-AD users need to run where
both sets of users need to have the same primary group membership. Is
this possible with Winbind? Or possibly sssd if not?

Thanks,

Chris