chris.hayes at proporta.com
2013-Jul-29 23:36 UTC
[Samba] Consistent Inter-Samba UID/GID Mappings
Hi everyone, I'm trying to ensure my various Samba3 fileservers have consistent Samba User/Group -> Linux UID/GID mappings between them. The domain is controlled by a Samba4 DC. Samba3 is used because it's maintained in the distributions that we have deployed already. I believe that using Winbind with idmap_rid is probably the easiest way to accomplish this, however I have had no luck with this after spending hours trying different configurations. And after searching online, it appeared that several people have suggested that this idmap backend no longer works in 3.6, and that explicitly stored mappings (via RFC2307 / SFU) is now considered the appropriate way to do what I'm wanting. Can anyone confirm this? In an attempt to implement RFC2307 in the Samba directory, I rebuilt my test domain (Samba4) using the --use-rfc2307 option in the samba-tool domain provision command. "The --use-rfc2307 option enables your Samba AD automatically to store posix attributes." -- https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Provisioning_Samba_.28Setting_up_a_new_domain.29 This sounded like it would work perfectly for my needs. However it doesn't. I'd hoped that it would ensure that any new user or group is automagically assigned a uidNumber or gidNumber, etc. Currently I'm using RSAT to administer the directory. I'm rather hoping that someone can point out something important that I've not realised. Any information would be enthusiastically received. I'll update this with further information tomorrow (Samba versions -- I believe that the DC is 4.0.6 and the fileserver 3.6.3). Thanks for your time. Chris
Hello Chris, Am 30.07.2013 01:36, schrieb chris.hayes at proporta.com:> In an attempt to implement RFC2307 in the Samba directory, I rebuilt my > test domain (Samba4) using the --use-rfc2307 option in the samba-tool > domain provision command. > > "The --use-rfc2307 option enables your Samba AD automatically to store > posix attributes." > -- > https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Provisioning_Samba_.28Setting_up_a_new_domain.29 > > > This sounded like it would work perfectly for my needs. However it > doesn't. I'd hoped that it would ensure that any new user or group is > automagically assigned a uidNumber or gidNumber, etc. Currently I'm > using RSAT to administer the directory. > > I'm rather hoping that someone can point out something important that > I've not realised. Any information would be enthusiastically received. > I'll update this with further information tomorrow (Samba versions -- I > believe that the DC is 4.0.6 and the fileserver 3.6.3).the --use-rfc2307 option doesn't automatically assigns xIDs on your DC. It add's the additionals schemas to your directory that allows you among others to assign xIDs to user/groups. If you migrate to Samba AD, then the values from your old Samba PDC are filled in this fields. If you provision a new domain and add users/groups, the fields you require are not set. You can administrate them through ADUC or other ways. If you don't want to administrate the posix stuff in your AD, have a look on sssd instead of winbind. Regards, Marc