I think the "ad" backend would work for me if I had access to the
domain controllers, which I do not. This makes the path out of our antiquated
setup much more complicated. It turns out that campus is using an AD-bridge
product from BeyondTrust for the last 10 years.
The groups are in AD. I can query my group membership with wbinfo
--user-groups="DOMAIN\\username". None of the groups are above
999999. Some are over 930000, however which with the calculation below, puts
some over 999999. I had the idmap ranges lower but the "idmap config
*:range" said it was too full when it was set to 3000-7999. Leaving out
the "*" idmap also generated a complaint, since your rid example
included it, I left it in.
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = 3
idmap config * : backend = tdb
idmap config * : range = 3000-60000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 70000-999999
--
Shannon
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Monday, September 19, 2022 12:53 PM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: [EXT] Re: [Samba] Samba 4 without winbind
CAUTION: Email Originated Outside of Auburn.
On 19/09/2022 18:17, Shannon Price via samba wrote:>
> I've had some progress on this using autorid and rid. A few issues
however.
>
> My home directory and other folders grant permissions to my NIS UID, but
with Winbind, my files are written using the UID that was generated by idmap, so
files I write have a different owner or I don't have permission at all to
write to existing folders.
Yes, I expected this, which is why I tried to steer you to the 'ad'
backend where you can set the NIS user ID as the users uidNumber attribute (the
same goes for groups, but you would the groups NIS ID for the groups gidNumber
attribute)>
> Winbind doesn't recognize all of my group memberships (even for
non-nested groups). I can query specific groups via wbinfo and see my name in
the group, but when I restrict a share using a flat AD group, it does not give
me access. If I share using "Domain Users", this works.
Are these groups in AD ? I ask because winbind will ignore any groups that are
not in AD and any that are outside the range set in smb.conf
I used '10000-999999' in my examples, so any group ID that is larger
than '999999' will be ignored. The 'rid' backend idmap ID is
calculated like this:
ID = RID + LOW_RANGE_ID
So if the groups RID is 11107, this would be
21107 = 11107 + 10000
The same calculation is used for users and 'autorid' works in much the
same way, but it uses a different calculation using the RID.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=05%7C01%7Cpricesw%40auburn.edu%7Ca4eca0a72efd473d36ff08da9a67f1a1%7Cccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637992068475073648%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XwrKIkWcx5%2BNU2NhnrUpuowu50aCAuI6U4LT4r8a9g8%3D&reserved=0