On Sat, 21 Jan 2017 18:05:52 +0000 Alex Crow via samba <samba at lists.samba.org> wrote:> Yes, this does not make sense. > > If I have member file servers, and I want to be in control of which > groups can access what, surely winbind needs to be able to get a GID > from AD? > > It may be different in our case as we migrated from classic Samba, but > every non-builtin group we have has a GID assigned and it works > perfectly. Indeed, if I create a new group without assigning a Unix > GID, it is not even visible on the member file servers, so IMHO the > advice you've been given is not correct. Your non-builtin groups that > you use for file access controls must have a GID number if you're > using rfc idmap. > > I understand that idmap configuration is not usable on a DC. > > Cheers > > Alex > >OK, lets have a look at the 'idmap config' lines on a Unix domain member: idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config SAMDOM : backend = ad idmap config SAMDOM : schema_mode = rfc2307 idmap config SAMDOM : range = 10000-999999 Now if a user has a uidNumber inside '10000-999999', or a group has a gidNumber inside the same range AND Domain Users has a gidNumber, then they will be shown as members of the 'SAMDOM' domain. Anything else and this includes the Well Known SIDs shown here: https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems will be mapped to the '*' domain using the '2000-9999' range. Just because 'getent' doesn't show the user or group, doesn't mean winbind isn't aware who they are. What you have to ask your self is 'does Unix have to know who this windows user or group is ?' Rowland
I am still slightly confused here. I set these options on the domain members (no clue how on earth to do this on a NAS) but how does it match up? I would think the server has to have the UID/GID info so each workstation has the same UID/GID for whatever user or group. If user A logs into station 1 and gets the first UID there, but he is the second user to login to station 2 he gets the second UID there. Am I missing the big picture here? Lead IT/IS Specialist Reach Technology FP, Inc On 01/21/2017 01:40 PM, Rowland Penny via samba wrote:> On Sat, 21 Jan 2017 18:05:52 +0000 > Alex Crow via samba <samba at lists.samba.org> wrote: > >> Yes, this does not make sense. >> >> If I have member file servers, and I want to be in control of which >> groups can access what, surely winbind needs to be able to get a GID >> from AD? >> >> It may be different in our case as we migrated from classic Samba, but >> every non-builtin group we have has a GID assigned and it works >> perfectly. Indeed, if I create a new group without assigning a Unix >> GID, it is not even visible on the member file servers, so IMHO the >> advice you've been given is not correct. Your non-builtin groups that >> you use for file access controls must have a GID number if you're >> using rfc idmap. >> >> I understand that idmap configuration is not usable on a DC. >> >> Cheers >> >> Alex >> >> > > OK, lets have a look at the 'idmap config' lines on a Unix domain > member: > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > ## map ids from the domain the ranges may not overlap ! > idmap config SAMDOM : backend = ad > idmap config SAMDOM : schema_mode = rfc2307 > idmap config SAMDOM : range = 10000-999999 > > Now if a user has a uidNumber inside '10000-999999', or a group has a > gidNumber inside the same range AND Domain Users has a gidNumber, then > they will be shown as members of the 'SAMDOM' domain. Anything else and > this includes the Well Known SIDs shown here: > > https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems > > will be mapped to the '*' domain using the '2000-9999' range. > > Just because 'getent' doesn't show the user or group, doesn't mean > winbind isn't aware who they are. > > What you have to ask your self is 'does Unix have to know who this > windows user or group is ?' > > Rowland > >
On Sat, 21 Jan 2017 19:15:51 -0500 Ryan Ashley via samba <samba at lists.samba.org> wrote:> I am still slightly confused here. I set these options on the domain > members (no clue how on earth to do this on a NAS) but how does it > match up? I would think the server has to have the UID/GID info so > each workstation has the same UID/GID for whatever user or group. If > user A logs into station 1 and gets the first UID there, but he is > the second user to login to station 2 he gets the second UID there. > Am I missing the big picture here? >Whilst you can give a workstation a uidNumber, it isn't really needed, but if you feel you must, then you will also need to give the workstations primary group 'Domain Computers' a gidNumber. If you are using the winbind 'ad' backend, then (provided 'Domain Users' has a gidNumber and the same 'idmap config' lines are used on all Unix domain members) your users (that have a uidNumber) should get the same UID on every Unix domain member, the same goes for groups. There is also the winbind 'rid' backend, this calculates the user or group ID from the user/group RID and again (provided the same 'idmap config' lines are used on all Unix domain members) the IDs will be the same. The only problem with using the 'rid' backend is that it cannot be used on a DC. This means that the only way to get the same user or group ID on all Unix computers is to use the 'ad' backend. I have no idea how to set up your NAS, mainly because I don't know what NAS you are using, but you will probably have to manually edit the smb.conf. Rowland