samba - Jul 2013 - Consistent Inter-Samba UID/GID Mappings

Hi everyone,

I'm trying to ensure my various Samba3 fileservers have consistent 
Samba User/Group -> Linux UID/GID mappings between them. The domain is 
controlled by a Samba4 DC.

Samba3 is used because it's maintained in the distributions that we 
have deployed already.

I believe that using Winbind with idmap_rid is probably the easiest way 
to accomplish this, however I have had no luck with this after spending 
hours trying different configurations. And after searching online, it 
appeared that several people have suggested that this idmap backend no 
longer works in 3.6, and that explicitly stored mappings (via RFC2307 / 
SFU) is now considered the appropriate way to do what I'm wanting.

Can anyone confirm this?

In an attempt to implement RFC2307 in the Samba directory, I rebuilt my 
test domain (Samba4) using the --use-rfc2307 option in the samba-tool 
domain provision command.

"The --use-rfc2307 option enables your Samba AD automatically to store 
posix attributes."
  -- 
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Provisioning_Samba_.28Setting_up_a_new_domain.29

This sounded like it would work perfectly for my needs. However it 
doesn't. I'd hoped that it would ensure that any new user or group is 
automagically assigned a uidNumber or gidNumber, etc. Currently I'm 
using RSAT to administer the directory.

I'm rather hoping that someone can point out something important that 
I've not realised. Any information would be enthusiastically received. 
I'll update this with further information tomorrow (Samba versions -- I 
believe that the DC is 4.0.6 and the fileserver 3.6.3).

Thanks for your time.
Chris

Hello Chris,

Am 30.07.2013 01:36, schrieb chris.hayes at
proporta.com:
> In an attempt to implement RFC2307 in the Samba directory, I rebuilt my
> test domain (Samba4) using the --use-rfc2307 option in the samba-tool
> domain provision command.
>
> "The --use-rfc2307 option enables your Samba AD automatically to store
> posix attributes."
>   --
>
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Provisioning_Samba_.28Setting_up_a_new_domain.29
>
>
> This sounded like it would work perfectly for my needs. However it
> doesn't. I'd hoped that it would ensure that any new user or group
is
> automagically assigned a uidNumber or gidNumber, etc. Currently I'm
> using RSAT to administer the directory.
>
> I'm rather hoping that someone can point out something important that
> I've not realised. Any information would be enthusiastically received.
> I'll update this with further information tomorrow (Samba versions -- I
> believe that the DC is 4.0.6 and the fileserver 3.6.3).

the --use-rfc2307 option doesn't automatically assigns xIDs on your DC. 
It add's the additionals schemas to your directory that allows you among 
others to assign xIDs to user/groups.

If you migrate to Samba AD, then the values from your old Samba PDC are 
filled in this fields. If you provision a new domain and add 
users/groups, the fields you require are not set. You can administrate 
them through ADUC or other ways.

If you don't want to administrate the posix stuff in your AD, have a 
look on sssd instead of winbind.



Regards,
Marc