On 01/02/16 19:20, Rowland penny wrote:> Yes, The DCs and domain members work differently. On a DC, windows users > are mapped to Unix users in 'idmap.ldb', this is where you will find the > xidNumber attributes. On a domain member, the users are mapped via > winbind and there are several backends available, though only two are > really used, the 'ad' & 'rid' backends. If you use the 'ad' backend, you > will have to give all users, that you want to be visible to Unix, a > uidNumber attribute and Domain Users (at least) a gidNumber. If you use > the 'rid' backend, you do not have to add anything to AD, but you may > want to add the 'template' lines to smb.conf on the domain member (see > man smb.conf).Sounds like the 'rid' backend may prove more flexible in many ways. I take it that using the 'rid' backend, I still get group membership information and other metadata provided? Alternatively, is there a flag I can pass to `samba-tool` that would automatically assign a uidNumber as this is what smbldap-tools and the good ol'e useradd tools did. (e.g. adding one to the last allocated UID. Or using xidNumber, since that works too for our needs.)> You may also want investigate using a later version of Samba, the > version available from ubuntu is old and in fact when Samba 4.4.0 comes > out (due start of March), the 4.1.x series will go EOL. You could use > the latest freely available Sernet version, this will get you 4.2.x, or > you could very easily compile Samba yourself, if you go down this path, > you can get the latest version.Indeed, the fun of using the stable branch of a Linux distribution. If I had my way, we'd be running Gentoo and thus have the latest Samba by default. I'll have a look at the Sernet and see if there's any other Samba backports to Ubuntu 14.04 -- I can't be the only one facing this issue. (Probably wouldn't be hard to nick the deb sources from the upcoming Ubuntu 16.04 and re-compile them on 14.04 too.) Regards, -- _ ___ Stuart Longland - Systems Engineer \ /|_) | T: +61 7 3535 9619 \/ | \ | 38b Douglas Street F: +61 7 3535 9699 SYSTEMS Milton QLD 4064 http://www.vrt.com.au
On 01/02/16 20:44, Stuart Longland wrote:> On 01/02/16 19:20, Rowland penny wrote: >> Yes, The DCs and domain members work differently. On a DC, windows users >> are mapped to Unix users in 'idmap.ldb', this is where you will find the >> xidNumber attributes. On a domain member, the users are mapped via >> winbind and there are several backends available, though only two are >> really used, the 'ad' & 'rid' backends. If you use the 'ad' backend, you >> will have to give all users, that you want to be visible to Unix, a >> uidNumber attribute and Domain Users (at least) a gidNumber. If you use >> the 'rid' backend, you do not have to add anything to AD, but you may >> want to add the 'template' lines to smb.conf on the domain member (see >> man smb.conf). > Sounds like the 'rid' backend may prove more flexible in many ways. I > take it that using the 'rid' backend, I still get group membership > information and other metadata provided?Yes, the differences between the 'ad' & 'rid' backends are: With the 'ad' backend, you get to use the full range of rfc2307 attributes with the 'rid' backend you only get to use the uidNumber & gidNumber attributes, there is however 'template shell' & 'template homedirectory' lines you can put into smb.conf.> > Alternatively, is there a flag I can pass to `samba-tool` that would > automatically assign a uidNumber as this is what smbldap-tools and the > good ol'e useradd tools did. (e.g. adding one to the last allocated > UID. Or using xidNumber, since that works too for our needs.)xidNumber attributes are only used on a DC, they are used no where else. I proposed a patch to samba-tool to make it do what you require, the patch was declined, I understand the reason why, but there is nothing stopping you writing your own script or using ADUC on a windows client.>> You may also want investigate using a later version of Samba, the >> version available from ubuntu is old and in fact when Samba 4.4.0 comes >> out (due start of March), the 4.1.x series will go EOL. You could use >> the latest freely available Sernet version, this will get you 4.2.x, or >> you could very easily compile Samba yourself, if you go down this path, >> you can get the latest version. > Indeed, the fun of using the stable branch of a Linux distribution. If > I had my way, we'd be running Gentoo and thus have the latest Samba by > default. > > I'll have a look at the Sernet and see if there's any other Samba > backports to Ubuntu 14.04 -- I can't be the only one facing this issue. > (Probably wouldn't be hard to nick the deb sources from the upcoming > Ubuntu 16.04 and re-compile them on 14.04 too.)There are later versions available from Sernet, but these require a subscription. Ubuntu relies on Debian and whilst there is a later version in Debian Experimental, it hasn't got any further than that. Compiling it yourself is fairly easy and it will install to /usr/local/samba. Rowland> Regards,
On 02/02/16 07:30, Rowland penny wrote:>> I'll have a look at the Sernet and see if there's any other Samba >> > backports to Ubuntu 14.04 -- I can't be the only one facing this issue. >> > (Probably wouldn't be hard to nick the deb sources from the upcoming >> > Ubuntu 16.04 and re-compile them on 14.04 too.) > There are later versions available from Sernet, but these require a > subscription. Ubuntu relies on Debian and whilst there is a later > version in Debian Experimental, it hasn't got any further than that. > > Compiling it yourself is fairly easy and it will install to > /usr/local/samba.Yeah, that's an option too. At the moment I've got my desktop at home running two LXC instances, one Ubuntu 14.04, the other 16.04 beta, and I'm grabbing sources with one using `apt-get source` and doing builds on the other with `dpkg-buildpackage`. I'll be building samba-4.3.3+dfsg shortly for AMD64, and I'll happily provide the .debs if anyone here is interested. -- _ ___ Stuart Longland - Systems Engineer \ /|_) | T: +61 7 3535 9619 \/ | \ | 38b Douglas Street F: +61 7 3535 9699 SYSTEMS Milton QLD 4064 http://www.vrt.com.au