samba - Feb 2014 - winbind: How to map Administrator to "root" on AD member server

Hi,

I am running a pure Samba 4.1+ AD environment (on the server side). There
is one AD DC running Samba 4.1 and two member servers (running Samba 4.1 as
well).

I have provisioned the domain with support for the rfc2307 AD schema. On
the DC the UIDs are assigned automatically to AD users by Samba, which is
great. I am also storing the assigned UIDs in the Active Directory as
uidNumber (gidNumber for groups).

On the member servers I am using the AD idmap backend with rfc2307 support:
> idmap config *:backend = tdb
> idmap config *:range = 3500000 - 3600000
> idmap config MYDOMAIN:backend = ad
> idmap config MYDOMAIN:schema_mode = rfc2307
> idmap config MYDOMAIN:range = 0 - 3500000
> winbind nss info = rfc2307
This is working great for normal users and groups, but I am struggling with
some special accounts, such as "Administrator". On the DC Samba
automatically assigned the uid/gid "0" to the account, which is fine
for
me. Now I also need this mapping on the member servers, as storage may be
shared across the servers, so the UIDs need to stay the same.

So I assigned the uidNumber "0" to the "Administrator"
account in the AD,
but unfortunately the member server cannot resolve the account's SID to a
uid (on the AD DC this is working!). What am I doing wrong?


Thanks in advance,
Frederik

On Sat, 2014-02-15 at 00:53 +0100, Fred F wrote:
> Hi,
> 
> I am running a pure Samba 4.1+ AD environment (on the server side). There
> is one AD DC running Samba 4.1 and two member servers (running Samba 4.1 as
> well).
> 
> I have provisioned the domain with support for the rfc2307 AD schema. On
> the DC the UIDs are assigned automatically to AD users by Samba, which is
> great. I am also storing the assigned UIDs in the Active Directory as
> uidNumber (gidNumber for groups).
> 
> On the member servers I am using the AD idmap backend with rfc2307 support:
> 
> > idmap config *:backend = tdb
> > idmap config *:range = 3500000 - 3600000
> > idmap config MYDOMAIN:backend = ad
> > idmap config MYDOMAIN:schema_mode = rfc2307
> > idmap config MYDOMAIN:range = 0 - 3500000
> > winbind nss info = rfc2307
The ranges overlap.
Try 0-3499999 for MYDOMAIN
Steve

On Sat, 2014-02-15 at 00:53 +0100, Fred F wrote:
> 
> This is working great for normal users and groups, but I am struggling with
> some special accounts, such as "Administrator".
Hi
It doesn't work as you have it. Just map Administrator to root (or
whoever you want, probably not a good idea to use root) in smb.conf:
http://linuxcostablanca.blogspot.com.es/2013/05/samba-3615-file-server-for-samba-406-ad.html
HTH
Steve

On 2014-02-15 at 00:53 +0100 Fred F sent off:
> This is working great for normal users and groups, but I am struggling with
> some special accounts, such as "Administrator". On the DC Samba
> automatically assigned the uid/gid "0" to the account, which is
fine for
> me. Now I also need this mapping on the member servers, as storage may be
> shared across the servers, so the UIDs need to stay the same.
> So I assigned the uidNumber "0" to the "Administrator"
account in the AD,
> but unfortunately the member server cannot resolve the account's SID to
a
> uid (on the AD DC this is working!). What am I doing wrong?
I would recommend to change the uidNumber of Administrator to a different
unused one. Otherwise you might run into other problems, too. See also
https://bugzilla.samba.org/show_bug.cgi?id=9837

Bj?rn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20140215/4ecf03ea/attachment.pgp>