On 23/07/2023 17:53, Mark Foley via samba wrote:> On Sat, 22 Jul 2023 20:58:01 Rowland Penny via samba <samba at
lists.samba.org> wrote:
>
>> On 22/07/2023 18:52, Mark Foley via samba wrote:
>>> I am installing a new Linux Domain Member on a Active Directory
domain that is
>>> otherwise 100% Windows, including a Windows AD/DC. Previously,
I've added a
>>> Linux domain member to a domain with a Samba AD/DC and I had all
the needful
>>> information available.
>>
>> It doesn't matter what the DC's are, Windows or Samba, the
setup is the
>> same.
>>
>>> I'm using the wiki
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Introduction
>>> for reference.
>>>
>>> In this case, what idmap backend should I use? ad, rid, autorid?
>>
>> Which idmap backend you use is entirely up to you, they all have their
>> places:
>>
>> If you use the 'ad' idmap backend you will need to have (or
add)
>> uidNumber and gidNumber attributes in AD.
>
> I am not the admin for the Windows AD/DC, so I don't know which
[uid|gid]Numbers
> are set in the AD. The actual admin is sort of a paint-by-numbers guy and
I'm
> doubtful he knows anything about uid/gid, but I can ask.
I doubt if there are any uidNumber or gidNumber attributes in AD, they
are not there by default.
>
>> If you use the 'rid' idmap backend then the Unix ID's are
calculated
>> from the AD objects RID. You will have to add a set of 'idmap
config
>> lines' for every DOMAIN
>
> I'm not seeing the actual difference between 'ad' and
'rid' based on this
> comment. the 'ad' backend in my example also has a set of
'idmap config lines'.
> How would rid differ?
The idmap config lines for the 'ad' and 'rid' idmap backends are
similar, but different, try reading 'man idmap_ad' and 'man
idmap_rid'
>
> The wiki on 'rid' says,
>
> "ID mapping back ends are not supported in the smb.conf file on a
Samba Active
> Directory (AD) domain controller (DC). Do not add any idmap config
lines to a
> Samba Active Directory (AD) domain controller (DC) smb.conf"
>
> This isn't an AD/DC, but does this apply to the domain member as well?
If I use
> this backend does that mean I don't need to specify gid/uid ranges in
the
> smb.conf.
A Samba AD DC uses a very different idmap backend than any other domain
joined machine. If you set up a Unix domain member using Samba, you must
add the 'idmap config' backend of your choice.
The wiki further says:>
> o All domain user accounts and groups are automatically available on the
domain member.
>
> o No attributes need to be set for domain users and groups.
>
> o If you use the the same basic smb.conf file on all Samba domain
members, then
> user and group IDs will always be the same.
>
> Maybe I don't need to worry about ranges?
Sorry, but yes you do.
>
>> The 'autorid' idmap backend works in a similar way to the
'rid' idmap
>> backend, but is meant for multiple domains and you will only require
one
>> set of 'idmap config' lines.
>
> Only one domain in this setup.
>
>>> My domain member on my existing Samba domain has smb.conf settings:
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9999
>>> idmap config HPRS:backend = ad
>>> idmap config HPRS:schema_mode = rfc2307
>>> idmap config HPRS:range = 10000-10099
>>
>> That setup will require that your users have uidNumber attributes and
>> your groups will have gidNumber attributes in AD, All of these
>> attributes will have to contain numbers inside the 10000-10099 range
>> (which to be honest is a bit small and only allows for 99 users).
>
> This example was taken from an actual system with no possibility of ever
having
> 99 users.
>
> Is there a way for me to determine the uid/gid range configured in this
system?
The range is '10000-10099', that is what you set, but if there are no
uidNumber or gidNumber attributes in AD, then getent will not show anything.
> 'getent passwd username' returns nothing (although 'getent
hosts members' does).
> wbinfo gives:
>
> # wbinfo -u
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> Error looking up domain users
>
> So that needs winbindd to be running running, but I'm not at that step
in the
> instructions.
You must be running winbind before wbinfo or getent will work.
>
>>> winbind enum groups = Yes
>>> winbind enum users = Yes
>>
>> If you only have 99 users, then the 'winbind enum' lines should
be okay,
>> but they are not required and on larger domains, they will slow things
down.
>
> Noted. I can get rid of that if it's not useful. BTW this target system
has less
> that a dozen users.
>
>>> winbind nss info = rfc2307
>>
>> If you use the 'ad' idmap backend, then 'winbind nss
info' is now part
>> of the 'idmap config' lines and isn't used with any other
idmap backend
>
> So, get rid of that in any case.
>
>>> winbind offline logon = Yes
>>> winbind refresh tickets = Yes
>>> winbind use default domain = Yes
>>
>> 'winbind use default domain' cannot be used with the
'autorid' idmap
>> backend.
>
> It doesn't look like 'autorid' will be the winner on backend,
so I'll likely
> retain these lines, right?
In that case, yes.
>
>>> These settings were monkey-typed from a smb.conf example by
kjhambrick, many,
>>> many moons ago. I really don't know why I have two backends
specific (tdb and
>>> ad) or why there are two different ranges (2000-9999 and
10000-10099 - although
>>> I see the wiki also has a range for * and for domain). Do I need
all these in
>>> the Windows AD config?
>>>
>>> I don't see backend tdb listed in the wiki. Is that obsolete?
It does list other
>>> backends: ldap and nss.
>>
>> The 'tdb' idmap backend is an allocating backend and is only
used for
>> the default '*' domain (unless you use the 'autorid'
idmap backend, when
>> it isn't required at all). The default domain is meant for the Well
>> Known SIDs and anything outside the DOMAIN.
>
> So, keep that, right?
Most definitely.
>
>>> How would I find the range on this domain?
>>
>> You don't, you choose and set it :-)
>>
>> Anything you don't understand, please ask.
>>
>> Rowland
>
> Yeah, related to the last question on how to "find the range on this
domain." I
> can't just make something up, can I?
Yes, you can use whatever range you like, but I suggest you read this
wiki page first:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> I need to know how the actual domain admin
> set up the range. If there's no way to query this then I supposed I
have to ask
> him, which might be a problem.
A typical Windows sysadmin will not have added any uidNumber or
gidNumber attributes to AD, they are of no value to Windows machines,
they use the SID, so I would be prepared to use the 'rid' idmap backend
if I was you.
>
> Can I just make something up and successfully join the domain, then do
'getent
> passwd' to see what my known gid/uid is?
You would get back whatever range you set in your smb.conf, however, if
you use the 'ad' idmap backend and there are no uidNumber &
gidNumber
attributes in AD, you will get nothing back.
< I could try the default ranges, for> example my new smb.conf might look like:
There are no real default ranges.
>
> idmap config *:backend = tdb
> idmap config *:range = 10000000-299999999
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = 10000-20000
There is no point in putting the default range above the DOMAIN range,
in fact if the DOMAIN grows large enough (as a user found recently), it
can stop the domain growing.
>
> winbind enum groups = Yes
> winbind enum users = Yes
> # winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
>
> -----OR------
>
> # idmap config *:backend = tdb (do I need these?) rid wiki: "... this
back end cannot be set as idmap config * default ID mapping back end."
> # idmap config *:range = 10000000-299999999
>
> # rid wiki: "You must add idmap config lines for all trusted
domains."
> # would that be the following two lines?
> idmap config HPRS:backend = rid
> idmap config HPRS:schema_mode = rfc2307
>
> # idmap config HPRS:range = 10000-20000
As I said earlier, please read 'man idmap_rid'>
> # probably get rid of these?
> # winbind enum groups = Yes
> # winbind enum users = Yes
I would, they should only really be used for testing puurposes.
>
> winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
>
> Am I close on the 'ad' or 'rid' examples?
Fairly.
< Am I assuming correctly that ranges> aren't needed for 'rid'?
Sorry, but no, whatever idmap backend you use, it requires a DOMAIN range.
Rowland