On 18/09/2022 16:46, Shannon Price via samba wrote:> > Thank you for the response, Rowland. Very helpful and we would like to move to a more modern setup. > > Your suggestion to move to AD means getting rid of NIS, correct? Using the users and groups from AD rather than NIS. I agree that this would be a better place to be, but have never been clear about the transition since our infrastructure has been based on NIS for so long. Can I simply run some Samba servers in the old style while converting others to all AD? Because of NFS back-end, our multiple Samba servers can serve the same files - \\SAMBA1\homes and \\SAMBA2\homes can all find my home directory. I think that Winbind handles the ID mapping between SIDs and UIDs, but I have not idea how that would work across multiple Samba servers doing things differently. > > -- > Shannon > >Samba provides several different ways of mapping AD users & groups to Unix ID's, the main ones are the 'autorid', 'rid' and 'ad' backends. 'autorid' is the easiest to set up, you just add a couple of lines to the smb.conf: idmap config * : backend = autorid idmap config * : range = 10000-9999999 'rid' is very similar: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-999999 Neither of the above requires adding anything to AD, the first calculates the Unix ID from the Windows RID and allows multiple domains without any further lines. The second again works in a similar way, but is only used for a single domain, you can add further 'DOMAIN' lines for trusted domains. 'ad' works differently, but uses lines very similar to the 'rid' variant (and you can add multiple domains like the 'rid' backend), there is one big difference, you must add rfc2307 attributes to AD. This may be a way out of your difficulties, NIS will have its own ID's and you should be able to use these for your user & group uidNumber & gidNumber attributes. Which ever backend you use, if you use the same basic smb.conf on every Unix machine, you will always get the same ID's. You should also be aware that you cannot have the same username or group name in /etc/passwd & /etc/group that also exists in AD, the former will always be used first. My advice would be to just have users & groups in AD, apart for one or two local Unix Admins, just in case anything goes wrong. If you require any further information, just ask. Rowland
The rfc2307 attribute path does seem like it would be a way out, maybe a bit messy. Also we can't write to the user objects in our shared campus domain and there are/were other NIS domains on campus in the past, so we can't make those updates. What is the most current and thorough IDMAP reference (books or online documentation)? The ID mapping seems to create local UIDs for users and I assume the UID/GID ownership on the local filesystem uses that. Why wouldn't the UID/GID for a particular user set by IDMAP be different from server to server? If I move files from one server to another, the ownerships (UID/GID) would be different, right? -- Shannon Price -----Original Message----- From: Rowland Penny <rpenny at samba.org> Sent: Sunday, September 18, 2022 11:16 AM To: samba at lists.samba.org Subject: Re: [Samba] Samba 4 without winbind On 18/09/2022 16:46, Shannon Price via samba wrote:> > Thank you for the response, Rowland. Very helpful and we would like to move to a more modern setup. > > Your suggestion to move to AD means getting rid of NIS, correct? Using the users and groups from AD rather than NIS. I agree that this would be a better place to be, but have never been clear about the transition since our infrastructure has been based on NIS for so long. Can I simply run some Samba servers in the old style while converting others to all AD? Because of NFS back-end, our multiple Samba servers can serve the same files - \\SAMBA1\homes and \\SAMBA2\homes can all find my home directory. I think that Winbind handles the ID mapping between SIDs and UIDs, but I have not idea how that would work across multiple Samba servers doing things differently. > > -- > Shannon > >Samba provides several different ways of mapping AD users & groups to Unix ID's, the main ones are the 'autorid', 'rid' and 'ad' backends. 'autorid' is the easiest to set up, you just add a couple of lines to the smb.conf: idmap config * : backend = autorid idmap config * : range = 10000-9999999 'rid' is very similar: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-999999 Neither of the above requires adding anything to AD, the first calculates the Unix ID from the Windows RID and allows multiple domains without any further lines. The second again works in a similar way, but is only used for a single domain, you can add further 'DOMAIN' lines for trusted domains. 'ad' works differently, but uses lines very similar to the 'rid' variant (and you can add multiple domains like the 'rid' backend), there is one big difference, you must add rfc2307 attributes to AD. This may be a way out of your difficulties, NIS will have its own ID's and you should be able to use these for your user & group uidNumber & gidNumber attributes. Which ever backend you use, if you use the same basic smb.conf on every Unix machine, you will always get the same ID's. You should also be aware that you cannot have the same username or group name in /etc/passwd & /etc/group that also exists in AD, the former will always be used first. My advice would be to just have users & groups in AD, apart for one or two local Unix Admins, just in case anything goes wrong. If you require any further information, just ask. Rowland
I've had some progress on this using autorid and rid. A few issues however. My home directory and other folders grant permissions to my NIS UID, but with Winbind, my files are written using the UID that was generated by idmap, so files I write have a different owner or I don't have permission at all to write to existing folders. Winbind doesn't recognize all of my group memberships (even for non-nested groups). I can query specific groups via wbinfo and see my name in the group, but when I restrict a share using a flat AD group, it does not give me access. If I share using "Domain Users", this works. -- Shannon -----Original Message----- From: Rowland Penny <rpenny at samba.org> Sent: Sunday, September 18, 2022 11:16 AM To: samba at lists.samba.org Subject: Re: [Samba] Samba 4 without winbind On 18/09/2022 16:46, Shannon Price via samba wrote:> > Thank you for the response, Rowland. Very helpful and we would like to move to a more modern setup. > > Your suggestion to move to AD means getting rid of NIS, correct? Using the users and groups from AD rather than NIS. I agree that this would be a better place to be, but have never been clear about the transition since our infrastructure has been based on NIS for so long. Can I simply run some Samba servers in the old style while converting others to all AD? Because of NFS back-end, our multiple Samba servers can serve the same files - \\SAMBA1\homes and \\SAMBA2\homes can all find my home directory. I think that Winbind handles the ID mapping between SIDs and UIDs, but I have not idea how that would work across multiple Samba servers doing things differently. > > -- > Shannon > >Samba provides several different ways of mapping AD users & groups to Unix ID's, the main ones are the 'autorid', 'rid' and 'ad' backends. 'autorid' is the easiest to set up, you just add a couple of lines to the smb.conf: idmap config * : backend = autorid idmap config * : range = 10000-9999999 'rid' is very similar: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-999999 Neither of the above requires adding anything to AD, the first calculates the Unix ID from the Windows RID and allows multiple domains without any further lines. The second again works in a similar way, but is only used for a single domain, you can add further 'DOMAIN' lines for trusted domains. 'ad' works differently, but uses lines very similar to the 'rid' variant (and you can add multiple domains like the 'rid' backend), there is one big difference, you must add rfc2307 attributes to AD. This may be a way out of your difficulties, NIS will have its own ID's and you should be able to use these for your user & group uidNumber & gidNumber attributes. Which ever backend you use, if you use the same basic smb.conf on every Unix machine, you will always get the same ID's. You should also be aware that you cannot have the same username or group name in /etc/passwd & /etc/group that also exists in AD, the former will always be used first. My advice would be to just have users & groups in AD, apart for one or two local Unix Admins, just in case anything goes wrong. If you require any further information, just ask. Rowland