Greg Zartman
2014-Dec-02 19:24 UTC
[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)
On Tue, Dec 2, 2014 at 11:15 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:> >> Doh, I missed that, well spotted Steve. > > Do not alter idmap.ldb, leave it alone, use RFC2307 attributes where > possible and join my campaign to get winbindd to pull all the attributes :-D >So, the xidNumber isn't needed? I'm going to be use SSSD for local auth, which pulls uidNumber from the AD, but didn't know if something else uses xidNumber Greg
Rowland Penny
2014-Dec-02 19:47 UTC
[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)
On 02/12/14 19:24, Greg Zartman wrote:> On Tue, Dec 2, 2014 at 11:15 AM, Rowland Penny > <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote: > > > Doh, I missed that, well spotted Steve. > > Do not alter idmap.ldb, leave it alone, use RFC2307 attributes > where possible and join my campaign to get winbindd to pull all > the attributes :-D > > > So, the xidNumber isn't needed? I'm going to be use SSSD for local > auth, which pulls uidNumber from the AD, but didn't know if something > else uses xidNumber > > Greg >If you examine idmap.ldb with ldbedit, you will see it contains records for builtin users/groups AND domain users/groups. On the samba 4 AD DC, if you do not use RFC2307 attributes, the domain users/groups xidNumber's are used via winbind, but if you do use the RFC2307 attributes for domain users/groups, then the xidNumbers are ignored. The builtin users/groups always use the xidNumbers, you do not need to concern yourself these. Rowland
On 02/12/14 20:24, Greg Zartman wrote: I'm going to be use SSSD Good. A lot of your problems have just disappeared. Now, all that's left is the sysvol share which has to be served by the DC. That still uses the external idmap db so you somehow must replicate that to any further DCs you add. Having said that, when you have the DC up with SSSD, it becomes a minor problem. It's a 2 minute job with a usb stick. SSSD? Get 1.12.x and go with this: http://linuxcostablanca.blogspot.com.es/2014/04/sssd-ad-backend-with-samba4.html Should take you about 5 minutes after you've installed it. You're almost there. HTH, Steve
Greg Zartman
2014-Dec-02 20:32 UTC
[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)
On Tue, Dec 2, 2014 at 11:47 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:> If you examine idmap.ldb with ldbedit, you will see it contains records > for builtin users/groups AND domain users/groups. On the samba 4 AD DC, if > you do not use RFC2307 attributes, the domain users/groups xidNumber's are > used via winbind, but if you do use the RFC2307 attributes for domain > users/groups, then the xidNumbers are ignored. The builtin users/groups > always use the xidNumbers, you do not need to concern yourself these. >Yep, I did see the mapping. In fact, I created some Perl code to wrap around ldbmodify and set xidNumber = uidNumber/guiNumber in Samba. Sounds like the xidNumbers are really a non-issue with the RFC2307 attributes and SSSD. Thanks, Greg