On 29/01/15 22:56, Hans-Kristian Bakke wrote:> Something went wrong and the message got sent before it was finished. > Here is the complete one: > > Ok, it's here: http://pastebin.com/JEnr5wUq > > The id_offset is that value because i initially didn't use rfc2307 > attributes, but instead had > > idmap config EXAMPLE : range = 300000-499999 > > in smb.conf. > > To get identical uid/gids have to start with the same offset. If you > have a fresh domain and just starting with AD-integration on your > linux-boxes you can just pull out the logic for generating winbind > compatible uids/gids. > > - > Regards, > > Hans-Kristian > > > On 29 January 2015 at 23:53, Hans-Kristian Bakke <hkbakke at gmail.com> wrote: >> Ok, it's here: http://pastebin.com/JEnr5wUq >> >> The id_offset is that value because i initially didn't use rfc2307 >> attributes, but instead >> >> >> On 29 January 2015 at 23:27, Tim <lists at kiuni.de> wrote: >>> @Hans-Kristian: >>> I'd like to see it. How did you automate this? >>> >>> @Andrew: >>> In another thread I suggested to set the rfc2307 info automatically when a >>> domain is provisioned with --use-rfc2307. Possibly by an additional >>> parameter. >>> This would make things easier in my eyes. >>> >>> Thanks >>> Tim >>> >>> Am 29. Januar 2015 22:02:14 MEZ, schrieb Hans-Kristian Bakke >>> <hkbakke at gmail.com>: >>>> It is actually rather easy to set the attributes via powershell, and >>>> that is probably the best way to add them in a Server 2012 R2 >>>> environment. >>>> >>>> I wrote a powershell script to do this automatically for users and >>>> groups in an entire domain that should be pretty generic to be reused. >>>> It also mirrors the logic used in automatic winbind UID/GID generation >>>> to be able to coexist in an environment where not all hosts are >>>> migrated to rfc2307 yet. If you want it I can give it to you, but as >>>> you proably would want to write your own powershell-script you would >>>> set properties for users and groups using these two cmdlets and some >>>> foreach-logic looping over your search bases, users and groups: >>>> >>>> Set-ADUser -Identity $username -Replace >>>> >>>> @{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell} >>>> >>>> Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid} >>>> >>>> On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de> wrote: >>>>> Am 29.01.2015 um 21:12 schrieb Tim: >>>>>> >>>>>> But if they take it away how to set them in future? >>>>> >>>>> >>>>> If you need NIS, you probably have POSIX systems attached. So you can >>>>> always >>>>> set RFC2307 attributes from POSIX systems. >>>>> >>>>> >>>>>> Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett >>>>>> <abartlet at samba.org>: >>>>>>> >>>>>>> On Wed, 2015-01-28 at 17:22 +0100, Tim wrote: >>>>>>>> >>>>>>>> I got the chance to test samba 4 with windows 2012 R2 domain >>>>>>>> controller on its highest functional level. >>>>>>>> >>>>>>>> Possibly it's important to know that M$ says that the "server for NIS >>>>>>>> Tools" which are needed to set rfc attributes are deprecated. >>>>>>>> I could install them but I can't choose a NIS domain anymore in Unix >>>>>>>> attributes. >>>>>>>> >>>>>>>> Will we run into problems with samba4? Is it time for thinking about >>>>>>> >>>>>>> a >>>>>>>> >>>>>>>> new idmapping backend? I have an idea for this (based on rid module) >>>>>>>> but I like to know your thoughts. >>>>>>> >>>>>>> >>>>>>> Even if they take away the admin tools, the schema changes won't go >>>>>>> away, so don't worry. >>>>>>> >>>>>>> -- >>>>>>> Andrew Bartlett >>>>>>> http://samba.org/~abartlet/ >>>>>>> Authentication Developer, Samba Team http://samba.org >>>>>>> Samba Developer, Catalyst IT >>>>>>> http://catalyst.net.nz/services/samba >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/sambaOK, had a quick look through your script and I cannot recommend it, it would seem to give Administrator (and everybody else) a 'uidNumber', Administrator's 'uidNumber' would be 300500, not a good idea. Rowland
I do not understand the point about issues with administrator beeing mapped to a "random" rfc2307 UID. You need to explain the details surrounding that part to me as my experience is that this is OK and even necessary. The only reason for not giving Administrator a "random" UID/GID that I can think of is perhaps if you are doing some mapping of Administrator to root, something which I am personally strongly against as they are _not_ the same users from any central authentication point of view. It is just a hack for people that are doing the mistake of actually using the administrator account for linux administration, when it shouldn't really be used for anything at all, even on windows boxes, as you of should be adding dedicated admin accounts for each admin. The script only gives users and groups that are non-local (i.e domain users that would actually be used for logins with non-zero SIDs) uid/gids. Administrator is one of them and giving it an UID of 300500/whatever is absolutely correct and necessary if administrator is going to be able to login to the linux boxes like everybody else.>From a linux box's view in a Windows DC domain administrator is nodifferent from other users. Add your admin group to sudoers and ssh allowgroups and you are done. This works beatifully in several well tested and abused production systems, also with ACLs with administrator added. -- Hans-Kristian On 30 January 2015 at 11:01, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 29/01/15 22:56, Hans-Kristian Bakke wrote: >> >> Something went wrong and the message got sent before it was finished. >> Here is the complete one: >> >> Ok, it's here: http://pastebin.com/JEnr5wUq >> >> The id_offset is that value because i initially didn't use rfc2307 >> attributes, but instead had >> >> idmap config EXAMPLE : range = 300000-499999 >> >> in smb.conf. >> >> To get identical uid/gids have to start with the same offset. If you >> have a fresh domain and just starting with AD-integration on your >> linux-boxes you can just pull out the logic for generating winbind >> compatible uids/gids. >> >> - >> Regards, >> >> Hans-Kristian >> >> >> On 29 January 2015 at 23:53, Hans-Kristian Bakke <hkbakke at gmail.com> >> wrote: >>> >>> Ok, it's here: http://pastebin.com/JEnr5wUq >>> >>> The id_offset is that value because i initially didn't use rfc2307 >>> attributes, but instead >>> >>> >>> On 29 January 2015 at 23:27, Tim <lists at kiuni.de> wrote: >>>> >>>> @Hans-Kristian: >>>> I'd like to see it. How did you automate this? >>>> >>>> @Andrew: >>>> In another thread I suggested to set the rfc2307 info automatically when >>>> a >>>> domain is provisioned with --use-rfc2307. Possibly by an additional >>>> parameter. >>>> This would make things easier in my eyes. >>>> >>>> Thanks >>>> Tim >>>> >>>> Am 29. Januar 2015 22:02:14 MEZ, schrieb Hans-Kristian Bakke >>>> <hkbakke at gmail.com>: >>>>> >>>>> It is actually rather easy to set the attributes via powershell, and >>>>> that is probably the best way to add them in a Server 2012 R2 >>>>> environment. >>>>> >>>>> I wrote a powershell script to do this automatically for users and >>>>> groups in an entire domain that should be pretty generic to be reused. >>>>> It also mirrors the logic used in automatic winbind UID/GID generation >>>>> to be able to coexist in an environment where not all hosts are >>>>> migrated to rfc2307 yet. If you want it I can give it to you, but as >>>>> you proably would want to write your own powershell-script you would >>>>> set properties for users and groups using these two cmdlets and some >>>>> foreach-logic looping over your search bases, users and groups: >>>>> >>>>> Set-ADUser -Identity $username -Replace >>>>> >>>>> >>>>> @{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell} >>>>> >>>>> Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid} >>>>> >>>>> On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de> wrote: >>>>>> >>>>>> Am 29.01.2015 um 21:12 schrieb Tim: >>>>>>> >>>>>>> >>>>>>> But if they take it away how to set them in future? >>>>>> >>>>>> >>>>>> >>>>>> If you need NIS, you probably have POSIX systems attached. So you >>>>>> can >>>>>> always >>>>>> set RFC2307 attributes from POSIX systems. >>>>>> >>>>>> >>>>>>> Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett >>>>>>> <abartlet at samba.org>: >>>>>>>> >>>>>>>> >>>>>>>> On Wed, 2015-01-28 at 17:22 +0100, Tim wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> I got the chance to test samba 4 with windows 2012 R2 domain >>>>>>>>> controller on its highest functional level. >>>>>>>>> >>>>>>>>> Possibly it's important to know that M$ says that the "server for >>>>>>>>> NIS >>>>>>>>> Tools" which are needed to set rfc attributes are deprecated. >>>>>>>>> I could install them but I can't choose a NIS domain anymore in >>>>>>>>> Unix >>>>>>>>> attributes. >>>>>>>>> >>>>>>>>> Will we run into problems with samba4? Is it time for thinking >>>>>>>>> about >>>>>>>> >>>>>>>> >>>>>>>> a >>>>>>>>> >>>>>>>>> >>>>>>>>> new idmapping backend? I have an idea for this (based on rid >>>>>>>>> module) >>>>>>>>> but I like to know your thoughts. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Even if they take away the admin tools, the schema changes won't >>>>>>>> go >>>>>>>> away, so don't worry. >>>>>>>> >>>>>>>> -- >>>>>>>> Andrew Bartlett >>>>>>>> http://samba.org/~abartlet/ >>>>>>>> Authentication Developer, Samba Team http://samba.org >>>>>>>> Samba Developer, Catalyst IT >>>>>>>> http://catalyst.net.nz/services/samba >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba > > > OK, had a quick look through your script and I cannot recommend it, it would > seem to give Administrator (and everybody else) a 'uidNumber', > Administrator's 'uidNumber' would be 300500, not a good idea. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 30/01/15 16:20, Hans-Kristian Bakke wrote:> I do not understand the point about issues with administrator beeing > mapped to a "random" rfc2307 UID. You need to explain the details > surrounding that part to me as my experience is that this is OK and > even necessary. > > The only reason for not giving Administrator a "random" UID/GID that I > can think of is perhaps if you are doing some mapping of Administrator > to root, something which I am personally strongly against as they are > _not_ the same users from any central authentication point of view. It > is just a hack for people that are doing the mistake of actually using > the administrator account for linux administration, when it shouldn't > really be used for anything at all, even on windows boxes, as you of > should be adding dedicated admin accounts for each admin. > > The script only gives users and groups that are non-local (i.e domain > users that would actually be used for logins with non-zero SIDs) > uid/gids. Administrator is one of them and giving it an UID of > 300500/whatever is absolutely correct and necessary if administrator > is going to be able to login to the linux boxes like everybody else. > From a linux box's view in a Windows DC domain administrator is no > different from other users. Add your admin group to sudoers and ssh > allowgroups and you are done. This works beatifully in several well > tested and abused production systems, also with ACLs with > administrator added. > > >Well, there you go, you and I are at opposite ends of the spectrum. I am strongly against giving 'Administrator' a 'uidNumber' because you are turning a special windows user into an ordinary Unix user. I personally think that 'Administrator' should be mapped to the root user (user 0), if you want another windows user to do administration on a Unix machine, create one and give this user a 'uidNumber'. It may help if you go look in idmap.ldb and see what the devs have mapped 'Administrator' to. Rowland
Hans-Kristian Bakke skrev den 2015-01-30 17:20:> I do not understand the point about issues with administrator beeing > mapped to a "random" rfc2307 UID. You need to explain the details > surrounding that part to me as my experience is that this is OK and > even necessary. > > The only reason for not giving Administrator a "random" UID/GID that I > can think of is perhaps if you are doing some mapping of Administrator > to root, something which I am personally strongly against as they are > _not_ the same users from any central authentication point of view. It > is just a hack for people that are doing the mistake of actually using > the administrator account for linux administration, when it shouldn't > really be used for anything at all, even on windows boxes, as you of > should be adding dedicated admin accounts for each admin.Here is how I tried to explain why not to use 'smbmapping' of Administrator to root: http://www.spinics.net/lists/samba/msg120633.html. It's just wrong to do that.> The script only gives users and groups that are non-local (i.e domain > users that would actually be used for logins with non-zero SIDs) > uid/gids. Administrator is one of them and giving it an UID of > 300500/whatever is absolutely correct and necessary if administrator > is going to be able to login to the linux boxes like everybody else. > From a linux box's view in a Windows DC domain administrator is no > different from other users. Add your admin group to sudoers and ssh > allowgroups and you are done. This works beatifully in several well > tested and abused production systems, also with ACLs with > administrator added.Well put! Regards Davor> -- > Hans-Kristian > > On 30 January 2015 at 11:01, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 29/01/15 22:56, Hans-Kristian Bakke wrote: >>> Something went wrong and the message got sent before it was finished. >>> Here is the complete one: >>> >>> Ok, it's here: http://pastebin.com/JEnr5wUq >>> >>> The id_offset is that value because i initially didn't use rfc2307 >>> attributes, but instead had >>> >>> idmap config EXAMPLE : range = 300000-499999 >>> >>> in smb.conf. >>> >>> To get identical uid/gids have to start with the same offset. If you >>> have a fresh domain and just starting with AD-integration on your >>> linux-boxes you can just pull out the logic for generating winbind >>> compatible uids/gids. >>> >>> - >>> Regards, >>> >>> Hans-Kristian >>> >>> >>> On 29 January 2015 at 23:53, Hans-Kristian Bakke <hkbakke at gmail.com> >>> wrote: >>>> Ok, it's here: http://pastebin.com/JEnr5wUq >>>> >>>> The id_offset is that value because i initially didn't use rfc2307 >>>> attributes, but instead >>>> >>>> >>>> On 29 January 2015 at 23:27, Tim <lists at kiuni.de> wrote: >>>>> @Hans-Kristian: >>>>> I'd like to see it. How did you automate this? >>>>> >>>>> @Andrew: >>>>> In another thread I suggested to set the rfc2307 info automatically when >>>>> a >>>>> domain is provisioned with --use-rfc2307. Possibly by an additional >>>>> parameter. >>>>> This would make things easier in my eyes. >>>>> >>>>> Thanks >>>>> Tim >>>>> >>>>> Am 29. Januar 2015 22:02:14 MEZ, schrieb Hans-Kristian Bakke >>>>> <hkbakke at gmail.com>: >>>>>> It is actually rather easy to set the attributes via powershell, and >>>>>> that is probably the best way to add them in a Server 2012 R2 >>>>>> environment. >>>>>> >>>>>> I wrote a powershell script to do this automatically for users and >>>>>> groups in an entire domain that should be pretty generic to be reused. >>>>>> It also mirrors the logic used in automatic winbind UID/GID generation >>>>>> to be able to coexist in an environment where not all hosts are >>>>>> migrated to rfc2307 yet. If you want it I can give it to you, but as >>>>>> you proably would want to write your own powershell-script you would >>>>>> set properties for users and groups using these two cmdlets and some >>>>>> foreach-logic looping over your search bases, users and groups: >>>>>> >>>>>> Set-ADUser -Identity $username -Replace >>>>>> >>>>>> >>>>>> @{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell} >>>>>> >>>>>> Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid} >>>>>> >>>>>> On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de> wrote: >>>>>>> Am 29.01.2015 um 21:12 schrieb Tim: >>>>>>>> >>>>>>>> But if they take it away how to set them in future? >>>>>>> >>>>>>> >>>>>>> If you need NIS, you probably have POSIX systems attached. So you >>>>>>> can >>>>>>> always >>>>>>> set RFC2307 attributes from POSIX systems. >>>>>>> >>>>>>> >>>>>>>> Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett >>>>>>>> <abartlet at samba.org>: >>>>>>>>> >>>>>>>>> On Wed, 2015-01-28 at 17:22 +0100, Tim wrote: >>>>>>>>>> >>>>>>>>>> I got the chance to test samba 4 with windows 2012 R2 domain >>>>>>>>>> controller on its highest functional level. >>>>>>>>>> >>>>>>>>>> Possibly it's important to know that M$ says that the "server for >>>>>>>>>> NIS >>>>>>>>>> Tools" which are needed to set rfc attributes are deprecated. >>>>>>>>>> I could install them but I can't choose a NIS domain anymore in >>>>>>>>>> Unix >>>>>>>>>> attributes. >>>>>>>>>> >>>>>>>>>> Will we run into problems with samba4? Is it time for thinking >>>>>>>>>> about >>>>>>>>> >>>>>>>>> a >>>>>>>>>> >>>>>>>>>> new idmapping backend? I have an idea for this (based on rid >>>>>>>>>> module) >>>>>>>>>> but I like to know your thoughts. >>>>>>>>> >>>>>>>>> >>>>>>>>> Even if they take away the admin tools, the schema changes won't >>>>>>>>> go >>>>>>>>> away, so don't worry. >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Andrew Bartlett >>>>>>>>> http://samba.org/~abartlet/ >>>>>>>>> Authentication Developer, Samba Team http://samba.org >>>>>>>>> Samba Developer, Catalyst IT >>>>>>>>> http://catalyst.net.nz/services/samba >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >> >> OK, had a quick look through your script and I cannot recommend it, it would >> seem to give Administrator (and everybody else) a 'uidNumber', >> Administrator's 'uidNumber' would be 300500, not a good idea. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba