Rowland Penny via samba wrote:> On Sat, 05 Nov 2016 12:15:49 -0700 > Linda W via samba <samba at lists.samba.org> wrote: > > > >> Is there a target date for when the 4.x server will be able to >> support 1 samba instance being the domain controller and serving files >> as the 3.x server is able to do? >> > > You can already do this. >--- The 4.x server will serve files as well or better than the 3.6.x servers?> >> I have been waiting for the 4.x server to become a full server >> before upgrading from 3.6.22, but it is getting a bit long in the >> tooth. The requirement that in upgrading to 4.x I'll still need to run >> a 3.6 server made the upgrade seem like alot of work for little gain >> (I only have a few users and most of them are "virtual me's"...). >> > > Samba 4 is capable of being a full AD DC. >--- But is it capable of being a full 3.6.xx file server with the same flexibility in mapping windows-ID's to local unix ID's? For example, I have the security groupings in my server's /etc/group file: Low Mandatory Level:!:11604096: Medium Mandatory Level:!:11608192: Medium Plus Mandatory Level:!:11608448: High Mandatory Level:!:11612288: System Mandatory Level:!:11616384:root on the server, so when I login to windows and bring up cygwin, I see my security label in my group listing. I have several Win-builtin and well-known ID ranges mapped to unix-ID ranges and that works (at least for identification purposes -- you can't force a Mandatory-level your user id doesn't already have in windows, but it will show ones you do have if there is a label for them in "winbind". I use winbind to provide a single-signon from linux or win with the file ownerships being the same for domain RID's on linux and on windows (win7).> > If you use the DC as a fileserver, then there are a few minor problems > you need to work around, mostly to do with IDs >---- "Minor problems" -- enough so that it is recommended to run them on separate machines? I have a rather useful Domain server that can return many or most of the MS-builtins as well as "well-known" domain ID's... Winbind also provides the logins for linux, so I have a single login on linux and win ("domain\login" on Win = login on my server for the most part, though if I login from win->linux w/ssh, I do have to accept and map domain\login => login in /etc/passwd, for example. Consistent with having the same ID's is the ability of my win-userID's to access same files on the server as they can when logged into the server. I only have single-user access to my Win-shares mounted on linux, as I haven't written a good CIFS-upcall handler to allow multi-user, but that's not a pressing need. I'd like my 4.x config to be at least as flexible as what I have now... that should be easy, right? (*wincing*)... Thanks! -linda
On Wed, 09 Nov 2016 15:20:41 -0800 Linda W <samba at tlinx.org> wrote:> Rowland Penny via samba wrote: > > On Sat, 05 Nov 2016 12:15:49 -0700 > > Linda W via samba <samba at lists.samba.org> wrote: > > > > > > > >> Is there a target date for when the 4.x server will be able to > >> support 1 samba instance being the domain controller and serving > >> files as the 3.x server is able to do? > >> > > > > You can already do this. > > > --- > The 4.x server will serve files as well or better > than the 3.6.x servers?It should work the same, after all, it is using the same code.> > > > >> I have been waiting for the 4.x server to become a full server > >> before upgrading from 3.6.22, but it is getting a bit long in the > >> tooth. The requirement that in upgrading to 4.x I'll still need to > >> run a 3.6 server made the upgrade seem like alot of work for > >> little gain (I only have a few users and most of them are "virtual > >> me's"...). > > > > Samba 4 is capable of being a full AD DC. > > > --- > But is it capable of being a full 3.6.xx file server with the > same flexibility in mapping windows-ID's to local unix ID's?This is the 'old' way of doing things and Microsoft seems to be trying to make it harder and harder to work with non-AD servers. So no, you don't map windows users to local Unix users, you make them local Unix users.> > For example, I have the security groupings in my server's > /etc/group file: > > Low Mandatory Level:!:11604096: > Medium Mandatory Level:!:11608192: > Medium Plus Mandatory Level:!:11608448: > High Mandatory Level:!:11612288: > System Mandatory Level:!:11616384:root > > on the server, so when I login to windows and bring up cygwin, > I see my security label in my group listing. I have several > Win-builtin and well-known ID ranges mapped to unix-ID ranges and > that works (at least for identification purposes -- you can't > force a Mandatory-level your user id doesn't already have in windows, > but it will show ones you do have if there is a label for them > in "winbind". I use winbind to provide a single-signon from > linux or win with the file ownerships being the same for domain RID's > on linux and on windows (win7).Just create the groups in AD and you probably wont need cygwin.> > > > > If you use the DC as a fileserver, then there are a few minor > > problems you need to work around, mostly to do with IDs > > > ---- > "Minor problems" -- enough so that it is recommended to run them > on separate machines?OK, the main visible problems are, A DC uses xidNumber's by default, these are all in the '3000000' range and any Unix domain members will get different IDs. You can work around this by giving Domain users & groups a uidNumber or gidNumber, this way, they all get the same ID everywhere in Unixland. You cannot use the login shell & Unix home directory attributes from AD on a DC, you have to use template lines in smb.conf.> > I have a rather useful Domain server that can return many or > most of the MS-builtins as well as "well-known" domain ID's... > Winbind also provides the logins for linux, so I have a single > login on linux and win ("domain\login" on Win = login on my server for > the most part, though if I login from win->linux w/ssh, I do have > to accept and map domain\login => login in /etc/passwd, for example.You don't really need most of the BUILTIN users & groups to be visible to Unix, winbind will silently map them for you with 'idmap config *:backend = tdb'> > Consistent with having the same ID's is the ability of > my win-userID's to access same files on the server as they can when > logged into the server. I only have single-user access to > my Win-shares mounted on linux, as I haven't written a good > CIFS-upcall handler to allow multi-user, but that's not a pressing > need.You can have consistent ID's and with a single point of administration`> > I'd like my 4.x config to be at least as flexible as what > I have now... that should be easy, right? (*wincing*)... > Thanks!No, you probably can't have it as easy as you have it now, with AD you can have it easier ;-) Rowland
Rowland Penny via samba wrote:> On Wed, 09 Nov 2016 15:20:41 -0800 > Linda W <samba at tlinx.org> wrote: > >>> >>> >>>> I have been waiting for the 4.x server to become a full server >>>> before upgrading from 3.6.22, but it is getting a bit long in the >>>> tooth. The requirement that in upgrading to 4.x I'll still need to >>>> run a 3.6 server made the upgrade seem like alot of work for >>>> little gain (I only have a few users and most of them are "virtual >>>> me's"...). >>>> >>> Samba 4 is capable of being a full AD DC. >>> >>> >> --- >> But is it capable of being a full 3.6.xx file server with the >> same flexibility in mapping windows-ID's to local unix ID's? >> > > This is the 'old' way of doing things and Microsoft seems to be trying > to make it harder and harder to work with non-AD servers. >---- Yeah... lovely.> So no, you don't map windows users to local Unix users, you make them > local Unix users. >---- But I can create unix id's that are not windows domain id's. Various software packages installed on the server want their own ID -- and many of those have nothing to do with Windows. If I create the Id from windows, it creates a unix ID as well -- so I think that's already being done, though not always automatically -- especially if I have an existing unix ID that I want to have available on windows.>> For example, I have the security groupings in my server's >> /etc/group file: >> >> Low Mandatory Level:!:11604096: >> Medium Mandatory Level:!:11608192: >> Medium Plus Mandatory Level:!:11608448: >> High Mandatory Level:!:11612288: >> System Mandatory Level:!:11616384:root >> >> on the server, so when I login to windows and bring up cygwin, >> I see my security label in my group listing. I have several >> Win-builtin and well-known ID ranges mapped to unix-ID ranges and >> that works (at least for identification purposes -- you can't >> force a Mandatory-level your user id doesn't already have in windows, >> but it will show ones you do have if there is a label for them >> in "winbind". I use winbind to provide a single-signon from >> linux or win with the file ownerships being the same for domain RID's >> on linux and on windows (win7). >> > > Just create the groups in AD and you probably wont need cygwin. >---- I don't need cygwin. It is handy for printing out all the ID's associated with a login -- including the mandatory labels. All of that isn't in one place on windows -- I used cygwin as an example as it's an easy way to verify what groups are associated with my ID, which for Domain groups, you can't easily see in Windows (maybe you can w/AD, dunno).> >>> >>> If you use the DC as a fileserver, then there are a few minor >>> problems you need to work around, mostly to do with IDs >>> >>> >> ---- >> "Minor problems" -- enough so that it is recommended to run them >> on separate machines? >> > > OK, the main visible problems are, A DC uses xidNumber's by default, > these are all in the '3000000' range and any Unix domain members will > get different IDs. You can work around this by giving Domain users & > groups a uidNumber or gidNumber, this way, they all get the same ID > everywhere in Unixland. > You cannot use the login shell & Unix home directory attributes from AD > on a DC, you have to use template lines in smb.conf. >--- Why not? Can't I configure that range?... FWIW, though, right now my ID's all map to the same range (as don't rely on auto-allocation), like "idmap config *:range = 0-999999999" -- just wanted to make it include all of my mapped ranges. I'm not adverse to solving things w/symlinks or mounts on unix. For example, I have 'Athenae's (one of my win machines) disk mounted at '/Athenae' on my unix machine. When I use 'ls -l', on that dir, I see links on my win-machine that map to corresponding locations on my unix machine, like: l--------- 1 0 Sep 24 14:55 D -> /??/UNC/Bliss/Documents/ l--------- 1 0 Jun 13 18:40 Documents -> /??/UNC/Bliss/Documents/ I.e. the links work the same whether you are on the windows or the linux machine. Only works for me at this point, but since I'm the only person who works on the unix machine, that's fine at this point.> You don't really need most of the BUILTIN users & groups to be visible > to Unix, winbind will silently map them for you with 'idmap config > *:backend = tdb' >--- I need them visible if I want them to display on the Win machines in security dialogs showing users or groups from the domain. I.e. I generally see all of the available ID's on my server -- which is good, as I don't remember them all, and they aren't visible on my workstation. So configuring the server to enumerate them when I ask for all ID's of a type, is very convenient if not essential (at least for me, as I don't use all of them often enough to remember them).> No, you probably can't have it as easy as you have it now, with AD you > can have it easier ;-) >---- For those that already know all the ins and outs, it's "obvious", for those who don't -- it's magic... (akin to sufficiently advanced technology looking like magic... ;-)).