Hi Rowland, Thanks for the help and ideally I would like to get rid of the sub domain all together but that is probably not going to happen. So couple comments and please forgive any of my ignorance. For your second question, all users in the subdomain who have access to the SAMBA server do have uidNumber set and it matches the uidNumber set in MASTER. Since this is the case, would the overlapping ranges be OK? I saw this post ( https://lists.samba.org/archive/samba-technical/2016-December/117567.html) and thought it might indicate it is OK but was not sure? For 'winbind use default domain = Yes' I thought this would assume the default domain for ssh logins as being the master since I have "idmap config MASTER:default = yes". Appears to work as it allows users to login without having to specify a domain. Although, if a user from the SUB domain logs in they must specify the SUB\user to login. Is that incorrect? If I remove use default = yes, users of MASTER must also specify their domain during login ... at least that is how it seemed during testing? Thanks again! On Wed, Apr 18, 2018 at 10:38 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 18 Apr 2018 10:02:53 -0400 > Wvu Hpc via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > We are in process of providing access to a AD connected master domain > > and one its subdomains to one of our SAMBA 4.6.2 file-share servers. > > The samba server is a member of the MASTER domain. The problem is we > > have cases where the same person has an account in both the master > > domain and the sub domain (long story and we know it is not a good > > practice but something I am powerless to change). The person (see > > example below for further clarity) has the same unix attributes set > > in both the domain and sub-domain. When you run testparm it > > complains of having the range overlap but the config seems to be > > working OK. Is there any reason we should not go forward with this > > config or should we push back and make the users in the subdomain > > have the different uid and gid numbers from the master domain? The > > benefit of having the same uid and gid is we don't have to worry > > about changing file ownership if a user moves between domains. > > > > Example: > > > > MASTER\user : uidNumber = 10000 : gidNumber = 10000 > > SUB\user : uidNumber = 10000 : gidNumber = 10000 > > > > SMB Config: > > > > # Global parameters > > [global] > > workgroup = MASTER > > > winbind use default domain = Yes > > idmap config MASTER:schema_mode = rfc2307 > > idmap config MASTER:range = 9000-5000000000 > > idmap config MASTER:default = yes > > idmap config MASTER:backend = ad > > idmap config SUB:schema_mode = rfc2307 > > idmap config SUB:range = 9000-5000000000 > > idmap config SUB:backend = ad > > idmap config * : backend = tdb > > idmap config *:range = 3000-8999 > > > > Firstly, you cannot use 'winbind use default domain = Yes' if you have > more than one domain in smb.conf. > Secondly, as you already know, you cannot the same range for both > domains. Yes I know that some of the users have the same uidNumber in > both domains, but what about the ones that don't ? > > I would remove the 'winbind use default domain' line and then use the > 'rid' backend for the 'SUB' domain with a different range: > > idmap config SUB:range = 5000000001-10000000000 > idmap config SUB:backend = rid > > This will probably entail changing the ownership of files and dirs > > You say you have no control of the domains, but I would be having > words with whoever does have control, mentioning words like 'stupid' > and 'idiot' ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2018-Apr-18 15:13 UTC
[Samba] idmap_ad overlap with domain and sub-domain overlap
On Wed, 18 Apr 2018 10:52:12 -0400 Wvu Hpc <wvu.hpc at gmail.com> wrote:> Hi Rowland, > > Thanks for the help and ideally I would like to get rid of the sub > domain all together but that is probably not going to happen. > > So couple comments and please forgive any of my ignorance.No problem.> > For your second question, all users in the subdomain who have access > to the SAMBA server do have uidNumber set and it matches the > uidNumber set in MASTER. Since this is the case, would the > overlapping ranges be OK? I saw this post ( > https://lists.samba.org/archive/samba-technical/2016-December/117567.html) > and thought it might indicate it is OK but was not sure?Yes I know what it says there, but 'man idmap_ad' still says the ranges mustn't overlap (okay, is says 'disjoint', but this the same thing)> > For 'winbind use default domain = Yes' I thought this would assume the > default domain for ssh logins as being the master since I have "idmap > config MASTER:default = yes". Appears to work as it allows users to > login without having to specify a domain. Although, if a user from > the SUB domain logs in they must specify the SUB\user to login. Is > that incorrect? If I remove use default = yes, users of MASTER must > also specify their domain during login ... at least that is how it > seemed during testing? >Setting 'winbind use default domain = yes' means that all your users will be treated as being members of the 'MASTER' domain, now this might seem to work for you, but I think it is going to end in tears ;-) When it comes down to it, they are your domains and you can do as you wish, all I can say is that I would find another of doing it. Rowland
Thanks Rowland ... I going to follow your guidance and push towards having a different range for the sub domain. Much appreciate your responses! On Wed, Apr 18, 2018 at 11:13 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 18 Apr 2018 10:52:12 -0400 > Wvu Hpc <wvu.hpc at gmail.com> wrote: > > > Hi Rowland, > > > > Thanks for the help and ideally I would like to get rid of the sub > > domain all together but that is probably not going to happen. > > > > So couple comments and please forgive any of my ignorance. > > No problem. > > > > > For your second question, all users in the subdomain who have access > > to the SAMBA server do have uidNumber set and it matches the > > uidNumber set in MASTER. Since this is the case, would the > > overlapping ranges be OK? I saw this post ( > > https://lists.samba.org/archive/samba-technical/2016- > December/117567.html) > > and thought it might indicate it is OK but was not sure? > > Yes I know what it says there, but 'man idmap_ad' still says the ranges > mustn't overlap (okay, is says 'disjoint', but this the same thing) > > > > > For 'winbind use default domain = Yes' I thought this would assume the > > default domain for ssh logins as being the master since I have "idmap > > config MASTER:default = yes". Appears to work as it allows users to > > login without having to specify a domain. Although, if a user from > > the SUB domain logs in they must specify the SUB\user to login. Is > > that incorrect? If I remove use default = yes, users of MASTER must > > also specify their domain during login ... at least that is how it > > seemed during testing? > > > > Setting 'winbind use default domain = yes' means that all your users > will be treated as being members of the 'MASTER' domain, now this might > seem to work for you, but I think it is going to end in tears ;-) > > When it comes down to it, they are your domains and you can do as you > wish, all I can say is that I would find another of doing it. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >