All, We have a samba3 domain which provides logon services for Windows clients, and several cifs shares, some for Windows clients and some for linux servers to mount. I am testing samba 4.5.4 in a lab to understand all that needs to happen for a migration to AD on samba4. During testing we bumped up against winbind config for linux member servers. Since we want users to authenticate against AD, the choice of back ends is tdb for the BUILTIN accounts, and ad four our domain. User accounts have unix UIDs / GIDs assigned and we configured the ad backend range to match the range of UIDs / GIDs. But I don't understand how to map the BUILTIN accounts in tdb. I noticed by checking on the AD server that BUILTINs have values starting at 30000000 for example 3000007(BUILTIN\users) So what is a sensible mapping for the BUILTIN accounts / groups? Or better yet, why not just let it be at the values hardcoded on the AD server? I need an algorithm that explains how to arrive at a workable range. This is the relevant section from smb.conf, which, btw, works fine from what I can tell. idmap config * : backend = tdb idmap config * : range = 30000-40000 idmap config MYDOM:backend = ad idmap config MYDOM:range = 10000-20000 idmap config MYDOM:schema_mode = rfc2307 winbind nss info = rfc2307 winbind use default domain = yes Thanks, -Mike
On Fri, 27 Jan 2017 20:50:48 +0000 (UTC) Mircea Husz via samba <samba at lists.samba.org> wrote:> All, > > We have a samba3 domain which provides logon services for Windows > clients, and several cifs shares, some for Windows clients and some > for linux servers to mount. I am testing samba 4.5.4 in a lab to > understand all that needs to happen for a migration to AD on samba4. > > During testing we bumped up against winbind config for linux member > servers. Since we want users to authenticate against AD, the choice > of back ends is tdb for the BUILTIN accounts, and ad four our domain. > > User accounts have unix UIDs / GIDs assigned and we configured the ad > backend range to match the range of UIDs / GIDs. But I don't > understand how to map the BUILTIN accounts in tdb. I noticed by > checking on the AD server that BUILTINs have values starting at > 30000000 for example 3000007(BUILTIN\users) > > So what is a sensible mapping for the BUILTIN accounts / groups? Or > better yet, why not just let it be at the values hardcoded on the AD > server? > > I need an algorithm that explains how to arrive at a workable range. > > This is the relevant section from smb.conf, which, btw, works fine > from what I can tell. > > idmap config * : backend = tdb > idmap config * : range = 30000-40000 > > idmap config MYDOM:backend = ad > idmap config MYDOM:range = 10000-20000 > idmap config MYDOM:schema_mode = rfc2307 > > winbind nss info = rfc2307 > winbind use default domain = yes > > > > Thanks, > -Mike >You could use the example ranges shown on the Samba wiki: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member This uses '3000-7999' for the '*' domain (Well Known SIDs etc) and '10000-999999' for the 'MYDOM' domain With this you have space below '3000' for any local Unix users you might need, starting the main domain at '10000' is inline with where ADUC on Windows starts them. You do not need to know the IDs of most of the Well Known SIDs, you only need to give Domain Users a gidNumber containing a number inside the 'MYDOM' range i.e. '10000' Rowland
Hi Roland, Thank you for the explanation. Allow me to press the point, I'd like to understand what I'm doing. Is there value in me remapping them from their 3000000 - range default as I see it on the AD server? What is the reason for specifying a lower range such as 3000-7999 ? Thank you, -Mike On Friday, January 27, 2017 3:42 PM, Rowland Penny via samba <samba at lists.samba.org> wrote: On Fri, 27 Jan 2017 20:50:48 +0000 (UTC) Mircea Husz via samba <samba at lists.samba.org> wrote:> All, > > We have a samba3 domain which provides logon services for Windows > clients, and several cifs shares, some for Windows clients and some > for linux servers to mount. I am testing samba 4.5.4 in a lab to > understand all that needs to happen for a migration to AD on samba4. > > During testing we bumped up against winbind config for linux member > servers. Since we want users to authenticate against AD, the choice > of back ends is tdb for the BUILTIN accounts, and ad four our domain. > > User accounts have unix UIDs / GIDs assigned and we configured the ad > backend range to match the range of UIDs / GIDs. But I don't > understand how to map the BUILTIN accounts in tdb. I noticed by > checking on the AD server that BUILTINs have values starting at > 30000000 for example 3000007(BUILTIN\users) > > So what is a sensible mapping for the BUILTIN accounts / groups? Or > better yet, why not just let it be at the values hardcoded on the AD > server? > > I need an algorithm that explains how to arrive at a workable range. > > This is the relevant section from smb.conf, which, btw, works fine > from what I can tell. > > idmap config * : backend = tdb > idmap config * : range = 30000-40000 > > idmap config MYDOM:backend = ad > idmap config MYDOM:range = 10000-20000 > idmap config MYDOM:schema_mode = rfc2307 > > winbind nss info = rfc2307 > winbind use default domain = yes > > > > Thanks, > -Mike >You could use the example ranges shown on the Samba wiki: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member This uses '3000-7999' for the '*' domain (Well Known SIDs etc) and '10000-999999' for the 'MYDOM' domain With this you have space below '3000' for any local Unix users you might need, starting the main domain at '10000' is inline with where ADUC on Windows starts them. You do not need to know the IDs of most of the Well Known SIDs, you only need to give Domain Users a gidNumber containing a number inside the 'MYDOM' range i.e. '10000' Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba