Hi Roland, Thank you for the explanation. Allow me to press the point, I'd like to understand what I'm doing. Is there value in me remapping them from their 3000000 - range default as I see it on the AD server? What is the reason for specifying a lower range such as 3000-7999 ? Thank you, -Mike On Friday, January 27, 2017 3:42 PM, Rowland Penny via samba <samba at lists.samba.org> wrote: On Fri, 27 Jan 2017 20:50:48 +0000 (UTC) Mircea Husz via samba <samba at lists.samba.org> wrote:> All, > > We have a samba3 domain which provides logon services for Windows > clients, and several cifs shares, some for Windows clients and some > for linux servers to mount. I am testing samba 4.5.4 in a lab to > understand all that needs to happen for a migration to AD on samba4. > > During testing we bumped up against winbind config for linux member > servers. Since we want users to authenticate against AD, the choice > of back ends is tdb for the BUILTIN accounts, and ad four our domain. > > User accounts have unix UIDs / GIDs assigned and we configured the ad > backend range to match the range of UIDs / GIDs. But I don't > understand how to map the BUILTIN accounts in tdb. I noticed by > checking on the AD server that BUILTINs have values starting at > 30000000 for example 3000007(BUILTIN\users) > > So what is a sensible mapping for the BUILTIN accounts / groups? Or > better yet, why not just let it be at the values hardcoded on the AD > server? > > I need an algorithm that explains how to arrive at a workable range. > > This is the relevant section from smb.conf, which, btw, works fine > from what I can tell. > > idmap config * : backend = tdb > idmap config * : range = 30000-40000 > > idmap config MYDOM:backend = ad > idmap config MYDOM:range = 10000-20000 > idmap config MYDOM:schema_mode = rfc2307 > > winbind nss info = rfc2307 > winbind use default domain = yes > > > > Thanks, > -Mike >You could use the example ranges shown on the Samba wiki: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member This uses '3000-7999' for the '*' domain (Well Known SIDs etc) and '10000-999999' for the 'MYDOM' domain With this you have space below '3000' for any local Unix users you might need, starting the main domain at '10000' is inline with where ADUC on Windows starts them. You do not need to know the IDs of most of the Well Known SIDs, you only need to give Domain Users a gidNumber containing a number inside the 'MYDOM' range i.e. '10000' Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Fri, 27 Jan 2017 22:00:11 +0000 (UTC) Mircea Husz <mirceahusz at yahoo.com> wrote:> Hi Roland, > > Thank you for the explanation. > Allow me to press the point, I'd like to understand what I'm doing. > Is there value in me remapping them from their 3000000 - rangeYou can use the 3000000 range if you want to, but most people change it. One reason for this is you can (and will) get different IDs on DCs if you use the xidNumbers that a DC creates, so, to be sure you are using the correct IDs, it is easier to change the range you use for the uidNumber & gidNumber attributes.> default as I see it on the AD server? What is the reason for > specifying a lower range such as 3000-7999 ?Good question, most people seem to put the '*' range above the DOMAIN range, now for most uses this wouldn't be a problem, but if you set the DOMAIN range to '10000-999999' and the '*' range to '1000000-1009999', what will you do if you get to a user that needs the uidNumber 1000000 ?? If the '*' range is below the DOMAIN range, it is easy to just increase the last number in the DOMAIN range and this will have no affect on anything else. But you can use whatever ranges you like, it is your domain ;-) Rowland
That makes sense. I didn't realize that IDs for BUILTIN accounts are not identical between DCs. Since they are not identical they need to be mapped to a consistent set. Thank you for the explanation. On Friday, January 27, 2017 4:57 PM, Rowland Penny via samba <samba at lists.samba.org> wrote: On Fri, 27 Jan 2017 22:00:11 +0000 (UTC) Mircea Husz <mirceahusz at yahoo.com> wrote:> Hi Roland, > > Thank you for the explanation. > Allow me to press the point, I'd like to understand what I'm doing. > Is there value in me remapping them from their 3000000 - rangeYou can use the 3000000 range if you want to, but most people change it. One reason for this is you can (and will) get different IDs on DCs if you use the xidNumbers that a DC creates, so, to be sure you are using the correct IDs, it is easier to change the range you use for the uidNumber & gidNumber attributes.> default as I see it on the AD server? What is the reason for > specifying a lower range such as 3000-7999 ?Good question, most people seem to put the '*' range above the DOMAIN range, now for most uses this wouldn't be a problem, but if you set the DOMAIN range to '10000-999999' and the '*' range to '1000000-1009999', what will you do if you get to a user that needs the uidNumber 1000000 ?? If the '*' range is below the DOMAIN range, it is easy to just increase the last number in the DOMAIN range and this will have no affect on anything else. But you can use whatever ranges you like, it is your domain ;-) Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba