samba - Oct 2014 - Samba4: "­MYDO­M\Administrator" qui­te us­eless on a member

> Comment from Rowland:
> [...]an AD user without a uidNumber is merely a windows user
Hi Rowland,

just for my understanding, I have a question. If a domain user in my samba4 AD
domain does not have been assigned with a "uid" on the [UNIX
Attribute] tab of my ADUC tool, that user in general *cannot* access any of the
shares of that particular member server? Is that correct? My [home] and
[profile] share resides on my member server, thus I definitely *need* to assign
to every domain user a uid so that he will be able to use that shares, right?

My other question still exists, it is the same as the topic of this thread :-)
As you said one shouldn't assign a uid to the MYDOM\Administrator account
(because he looses its special permissions and thus will be converted to a
'normal' UNIX user on the member server), I am still wondering myself:

Is MYDOM\Administrator therefore *useless* on a memberserver? I cannot use that
account for accessing shares on the member server, right? (assuming I didn't
have assigned a UID to him, as you suggested).

Thanks and greetings,
Mirco

On 27/10/14 20:55, ?icro MEGAS wrote:
>> Comment from Rowland:
>> [...]an AD user without a uidNumber is merely a windows user
> Hi Rowland,
>
> just for my understanding, I have a question. If a domain user in my samba4
AD domain does not have been assigned with a "uid" on the [UNIX
Attribute] tab of my ADUC tool, that user in general *cannot* access any of the
shares of that particular member server? Is that correct? My [home] and
[profile] share resides on my member server, thus I definitely *need* to assign
to every domain user a uid so that he will be able to use that shares, right?
It is a bit more complicated than that, if you use a member server as 
you are doing, then yes, the underlying Unix machine has to know who 
your windows users are. You can use nlscd, sssd or winbind to do this, 
now if you use either of the last two, they can be set up in a way that 
they will be given a uidNumber automatically based on the users RID. If 
you give your users the required rfc2307 attributes, you can use any of 
the three and give your users individual home directory paths for 
instance, something that is not possible without using rfc2307. What I 
will say is, I think that it is better to use the rfc2307 attributes 
than not to.
>
> My other question still exists, it is the same as the topic of this thread
:-) As you said one shouldn't assign a uid to the MYDOM\Administrator
account (because he looses its special permissions and thus will be converted to
a 'normal' UNIX user on the member server), I am still wondering myself:
>
> Is MYDOM\Administrator therefore *useless* on a memberserver? I cannot use
that account for accessing shares on the member server, right? (assuming I
didn't have assigned a UID to him, as you suggested).
This is a valid question and no the 'Administrator' is not useless on a 
memberserver, you need him (her ??) as a bridge to the root user from 
windows, this is what the smbmap is for, if you need to do something 
from windows on a Unix machine that only 'root' can do easily, then do 
it as 'root' via the smbmap. Just as you wouldn't really do much as
the
Administrator on windows (well you wouldn't login and run word all day 
long, for instance), you do not, as a rule, login as root on a Unix 
machine and carry out day to day operations.

Rowland
>
> Thanks and greetings,
> Mirco

> It is a bit more complicated than that, if you use a member server as 
> you are doing, then yes, the underlying Unix machine has to know who 
> your windows users are. You can use nlscd, sssd or winbind to do this, 
> now if you use either of the last two, they can be set up in a way that 
> they will be given a uidNumber automatically based on the users RID. If 
> you give your users the required rfc2307 attributes, you can use any of 
> the three and give your users individual home directory paths for 
> instance, something that is not possible without using rfc2307. What I 
> will say is, I think that it is better to use the rfc2307 attributes 
> than not to.
Ok, my DC was provisioned with rfc2307 and has the NIS extensions. I am using
winbind with "ad" backend on my member server. But it's necessary
to assign a
uid for every user in ADUC tool, so these users can access my shares on the
member server. I hope that's ok like that.
> This is a valid question and no the 'Administrator' is not useless
on a
> memberserver, you need him (her ??) as a bridge to the root user from 
> windows, this is what the smbmap is for, if you need to do something 
> from windows on a Unix machine that only 'root' can do easily, then
do
> it as 'root' via the smbmap. Just as you wouldn't really do
much as the
> Administrator on windows (well you wouldn't login and run word all day 
> long, for instance), you do not, as a rule, login as root on a Unix 
> machine and carry out day to day operations.
Out of curiosity: what happens, when I don't use the "smbmap"
feauture, but
I am logged in as MYDOM\it-admin1 ? That user is member of "Builtin\Domain
Admins".
The user "it-admin1" can use for example the ADUC tool, create/modify
users, and so on... it seems that everything work fine, the only difference to
using "smbmap" feauture is that directories or files created with
"it-admin1"
user have as owner=it-admin1. When I use the smbmap feauture the
owner=root. But both work fine, so do one really need smbmap?