On Mon, 18 Jun 2018, Rowland Penny via samba wrote:> On Mon, 18 Jun 2018 11:42:05 -0400 (EDT) > Tom Diehl via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> In reading >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller >> it says "If the other DCs are Samba DCs and were provisioned with >> --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes' >> to the join command" >> >> So does this mean that rfc2307 should not be used if the other DCs >> are MS DCs? Does the answer change if the ultimate goal is to >> decommission the MS DCs? > > Do you have any Unix clients or do have an intention of either using > the Samba DC as a fileserver, or adding any Unix domain members ? > > If you do, then add the line to any Samba DC's, if not then you can > ignore it.There are no Unix clients today but the plan is to add them once the Samba DC is up and running. So if I understand you correctly, I should add rfc2307 attributes so that I have them available when we provision the member server. Then on the member server add something like the following to the smb.conf: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:unix_nss_info = yes idmap config SAMDOM:range = 10000-999999 This will also necessitate adding unix attributes to the user accounts. Does this sound reasonable?>> >> In addition, >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings >> states that "you must Create a hot-backup of >> the /usr/local/samba/private/idmap.ldb file on the existing DC:" and >> import into the new DC. >> >> If The existing DC is an MS DC, how do I accomplish this step? > > You cannot, because a windows DC will not have that file. There is a > problem (or is it a feature ?) with idmap.ldb on Samba DC's, they can, > and most probably will, return different ID's from each other. So for > Sysvol, you must copy idmap.ldb from the first Samba DC to any other > Samba DC'sSo is it safe to just ignore this part until I add a 2nd Samba DC or is there something special I need to do to get the ID's to match when one of the DC's is an MS DC? Regards, -- Tom me at tdiehl.org
On Mon, 18 Jun 2018 14:42:12 -0400 (EDT) me at tdiehl.org wrote:> On Mon, 18 Jun 2018, Rowland Penny via samba wrote: > > > On Mon, 18 Jun 2018 11:42:05 -0400 (EDT) > > Tom Diehl via samba <samba at lists.samba.org> wrote: > > > >> Hi, > >> > >> In reading > >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller > >> it says "If the other DCs are Samba DCs and were provisioned with > >> --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 > >> yes' to the join command" > >> > >> So does this mean that rfc2307 should not be used if the other DCs > >> are MS DCs? Does the answer change if the ultimate goal is to > >> decommission the MS DCs? > > > > Do you have any Unix clients or do have an intention of either using > > the Samba DC as a fileserver, or adding any Unix domain members ? > > > > If you do, then add the line to any Samba DC's, if not then you can > > ignore it. > > There are no Unix clients today but the plan is to add them once the > Samba DC is up and running. So if I understand you correctly, I > should add rfc2307 attributes so that I have them available when we > provision the member server. Then on the member server add something > like the following to the smb.conf: idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:unix_nss_info = yes > idmap config SAMDOM:range = 10000-999999 > > This will also necessitate adding unix attributes to the user > accounts.Not exactly, if the Samba AD DC is only going to be used for authentication, then you could use the winbind 'rid' backend on Unix domain members, this way you don't have to add anything to AD.> > Does this sound reasonable? > > >> > >> In addition, > >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings > >> states that "you must Create a hot-backup of > >> the /usr/local/samba/private/idmap.ldb file on the existing DC:" > >> and import into the new DC. > >> > >> If The existing DC is an MS DC, how do I accomplish this step? > > > > You cannot, because a windows DC will not have that file. There is a > > problem (or is it a feature ?) with idmap.ldb on Samba DC's, they > > can, and most probably will, return different ID's from each other. > > So for Sysvol, you must copy idmap.ldb from the first Samba DC to > > any other Samba DC's > > So is it safe to just ignore this part until I add a 2nd Samba DC or > is there something special I need to do to get the ID's to match when > one of the DC's is an MS DC?Windows uses SID-RID's to identify users, groups and computers, so you do not need to do anything for Windows and a Samba AD DC to know who an ID is. However, for Sysvol, Samba maps Windows ID's to Unix ID's in idmap.ldb . So, yes, it is safe to ignore that part until you add another Samba AD DC. Rowland
On Mon, 18 Jun 2018, Rowland Penny via samba wrote:> On Mon, 18 Jun 2018 14:42:12 -0400 (EDT) > me at tdiehl.org wrote: > >> On Mon, 18 Jun 2018, Rowland Penny via samba wrote: >> >>> On Mon, 18 Jun 2018 11:42:05 -0400 (EDT) >>> Tom Diehl via samba <samba at lists.samba.org> wrote: >>> >>>> Hi, >>>> >>>> In reading >>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller >>>> it says "If the other DCs are Samba DCs and were provisioned with >>>> --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 >>>> yes' to the join command" >>>> >>>> So does this mean that rfc2307 should not be used if the other DCs >>>> are MS DCs? Does the answer change if the ultimate goal is to >>>> decommission the MS DCs? >>> >>> Do you have any Unix clients or do have an intention of either using >>> the Samba DC as a fileserver, or adding any Unix domain members ? >>> >>> If you do, then add the line to any Samba DC's, if not then you can >>> ignore it. >> >> There are no Unix clients today but the plan is to add them once the >> Samba DC is up and running. So if I understand you correctly, I >> should add rfc2307 attributes so that I have them available when we >> provision the member server. Then on the member server add something >> like the following to the smb.conf: idmap config * : backend = tdb >> idmap config * : range = 3000-7999 >> idmap config SAMDOM:backend = ad >> idmap config SAMDOM:schema_mode = rfc2307 >> idmap config SAMDOM:unix_nss_info = yes >> idmap config SAMDOM:range = 10000-999999 >> >> This will also necessitate adding unix attributes to the user >> accounts. > > Not exactly, if the Samba AD DC is only going to be used for > authentication, then you could use the winbind 'rid' backend on Unix > domain members, this way you don't have to add anything to AD.Am I correct that if I use the 'rid' backend then I do not need rfc2307 attributes? So for rid the smb.conf on the member servers would look something like the following: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config SAMDOM:backend = rid idmap config SAMDOM:unix_nss_info = yes idmap config SAMDOM:range = 10000-999999 Is this correct? Regards, -- Tom me at tdiehl.org