On 22/12/14 17:22, Denis Cardon wrote:> Hi William, > >> I have an AD domain (Samba 4.1.13 domain controllers) and some Samba 3.6 >> clients. >> I would like the uid/gid mappings to be consistent across the two >> sets of >> machines. >> >> The Samba4 DCs have the following line in smb.conf: >> >> idmap_ldb:use rfc2307 = yes >> >> and their uids/gids are in sync across all four of them. >> >> The Samba 3.6 domain members currently have: >> >> idmap config MBSW : backend = rid >> idmap config MBSW : range = 10000001-20000000 > > if you are using rfc2307 on one side and rid on the other, it is > pretty sure that it won't be in sync. You should use rfc2307 also on > the samba 3.6, with something like > > [global] > workgroup = MONDOMAINE > security = ADS > realm = MONDOMAINE.LOCAL > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config MONDOMAINE:backend = ad > idmap config MONDOMAINE:schema_mode = rfc2307 > idmap config MONDOMAINE:range = 500-40000 > > By the way, samba 3.6 is going end of life pretty soon (see the recent > 4.2RC3 release notes), you should upgrade your 3.6 domain members to > samba4 too. > > Cheers, > > Denis > > >> >> in their smb.conf. As a result the uids/gids match between the Samba 3.6 >> domain members, but are completely different to the Samba4 DCs. >> >> Is there a way to configure the 3.6 domain members to use the same >> uid/gid >> mapping as the Samba4 DCs? >> >> Many thanks, >> >> Will >> > >Hi, what you are saying Denis is true as far as it goes, but the OP also needs to add the required RFC2307 attributes (uidNumber, gidNumber) to the user & group objects. Rowland
On 22/12/14 19:04, Rowland Penny wrote:>On 22/12/14 17:22, Denis Cardon wrote: >> Hi William, >> >>> I have an AD domain (Samba 4.1.13 domain controllers) and some Samba >>> 3.6 clients. >>> I would like the uid/gid mappings to be consistent across the two >>> sets of machines. >> >> By the way, samba 3.6 is going end of life pretty soon (see the recent >> 4.2RC3 release notes), you should upgrade your 3.6 domain members to >> samba4 too. >> >> Cheers, >> >> Denis >> > >Hi, what you are saying Denis is true as far as it goes, but the OP alsoneeds to add the>required RFC2307 attributes (uidNumber, gidNumber) to the user & groupobjects.> >RowlandDoes upgrading the member servers to Samba 4 mean they can share the uid/gid mapping the Samba 4 DCs are currently using? According to https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server I would still need to use: idmap config DOMAIN : backend = ad for a member server even under Samba 4. Which would mean I would need to populate the uid/gid attributes within AD. At present, presumably my Samba4 DCs are storing a mapping in the .ldb/.tdb files in /usr/local/samba/private (hidden from AD). Is there no way to use the same mapping on a member server?
On 22/12/14 21:35, William Ross wrote:> On 22/12/14 19:04, Rowland Penny wrote: >> On 22/12/14 17:22, Denis Cardon wrote: >>> Hi William, >>> >>>> I have an AD domain (Samba 4.1.13 domain controllers) and some Samba >>>> 3.6 clients. >>>> I would like the uid/gid mappings to be consistent across the two >>>> sets of machines. >>> By the way, samba 3.6 is going end of life pretty soon (see the recent >>> 4.2RC3 release notes), you should upgrade your 3.6 domain members to >>> samba4 too. >>> >>> Cheers, >>> >>> Denis >>> >> Hi, what you are saying Denis is true as far as it goes, but the OP also > needs to add the >> required RFC2307 attributes (uidNumber, gidNumber) to the user & group > objects. >> Rowland > Does upgrading the member servers to Samba 4 mean they can share the uid/gid > mapping the > Samba 4 DCs are currently using?Samba 4 is just the next version after 3.6.x and as such works pretty much like 3.6.x (though there are slight parameter differences). I am pretty sure that there is no way to get the same ID numbers on member servers as on the DC without using RFC2307 attributes> > According to https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > I would still > need to use: > > idmap config DOMAIN : backend = ad > > for a member server even under Samba 4. Which would mean I would need to > populate the > uid/gid attributes within AD. > At present, presumably my Samba4 DCs are storing a mapping in the .ldb/.tdb > files in > /usr/local/samba/private (hidden from AD). Is there no way to use the same > mapping on a > member server?No, the real reason for idmap.ldb is to store ID's for the BUILTIN well known SID's, it also maps users & groups as well, this setup is not used on member servers. You could do what the Samba wiki advises, only use the DC for authentication. Rowland>