Miguel Medalha
2015-Feb-21 22:15 UTC
[Samba] Winbind backend : rid is too much underappreciated
> > Just recently a user had problems getting the rid backend to work, so it > isn't the magic solution you are suggesting. Once you get your head > around the winbind backends, it is easy to set them up. If you did have > problems with the 'ad' backend, you had something set incorrectly. >Do you have something against the rid backend? Which disavantadges do you see? It simply works! The problems I had came most probably from using the AD Controller also as file server. I know, that's not perfect but sometimes things have to be done in a certain way in certain scenarios for particular reasons. The internal winbind maps users/groups to a range starting with 3000000. Administrator has a UID of 0. How would you fill up the UNIX Attributes tab for Administrator?
Marc Muehlfeld
2015-Feb-21 22:44 UTC
[Samba] Winbind backend : rid is too much underappreciated
Am 21.02.2015 um 23:15 schrieb Miguel Medalha:> Do you have something against the rid backend? Which disavantadges do you > see? It simply works!_My_ personal disadvantage with idmap_rid is, that you have to define stuff like the shell on a per server and not on a per user base. You can decite if _all_ users should have /bin/bash or alle /bin/false. RFC2307 allows you to centralized set this per user. So admins have a shell for their user account and no one else. With RID backend, all users need a shell, and I have to take care via sshd.conf, etc. that only admin users are allowed to really log in.> Administrator has a UID of 0. How would you fill up the UNIX Attributes > tab for Administrator?My domain admin at work has UID 30253. I haven't seen any problems yet. ACLs on Linux-Samba servers are set as root using POSIX ACLs. On windows servers it's done the windows way without any problems. I can administer my Samba printserver by granting privileges like described in the Wiki. Haven't seen any problems since setup 2.5 years. Regards, Marc
Miguel Medalha
2015-Feb-21 23:38 UTC
[Samba] Winbind backend : rid is too much underappreciated
> > My domain admin at work has UID 30253. I haven't seen any problems yet. > ACLs on Linux-Samba servers are set as root using POSIX ACLs. On windows > servers it's done the windows way without any problems. I can administer > my Samba printserver by granting privileges like described in the Wiki. > Haven't seen any problems since setup 2.5 years. >I understand that. My problems came from using the Samba AD Domain Controller as a file server. In this particular case I could not avoid it, for reasons that would take too much effort to explain. When I later had to join a member server to the network, things started to complicate. In this case I don't need any Active directory users to have a shell on the Linux servers, including administrators. Root will do. I am not using POSIX ACLs either. I use acl_xattr only. All clients in the network are Windows machines, only servers are Linux.