On Wed, 20 Jun 2018 12:52:00 +0200
L.P.H. van Belle <belle at bazuin.nl> wrote:
> Hai Rowland,
>
> Can you reply on this list message with an "adviced" member AD
> settting? ( see also )
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899269
>
> I always go wrong the the vfs settings.
>
OK, lets start with, Samba recommends using 'winbind' on Unix domain
members, it does not supply or support using sssd. That doesn't mean
there is anything wrong with sssd, it just isn't a Samba product and
virtually anything sssd can do, winbind can do.
When you create a Unix domain member, you will have several groups
of users & groups stored in several places, these are:
The local Unix system users and groups, these will have IDs in the
'0-999' range (note: red-hat used to use '0-500')
Next comes the local Unix users and groups, these will start at ID
'1000'
Finally you will need a couple of ranges for:
A) The 'Well known SIDs' and anything outside the Domain
B) The Domain (or Domains) users and groups
I hope you can see that the AD users and groups IDs cannot start from
less than '1000', though starting at such a low number would mean that
you couldn't have ANY local Unix users or groups and you need a few
local Unix users, just in case something drastic goes wrong with AD.
So, what I recommend is, use '1000-2999' for local Unix users &
groups, '3000-7999' for the 'Well known SIDS' and anything
outside the
Domain and start the main AD DOMAIN at '10000' (which is, incidentally,
the number Microsoft chose).
This leads to lines such as these in smb.conf:
idmap config *:backend = tdb
idmap config *:range = 3000-7999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
NOTE: There is also the 'ad' backend, but I will not go into that here,
we are discussing 'ranges' and it is just a matter of adding a few
extra lines and these depend on your Samba version.
There is advice out there that says that you should put the '*' range
above the 'SAMDOM' range, but there is a problem with this. There are
less than 200 'Well Known SIDs' and if you do put the '*' range
above
the 'SAMDOM' range, what happens if your number of users grows to the
point that it reaches the low end of the '*' range ? Whereas, if the
'*' range is below the 'SAMDOM' range, it will never get in the
way.
As an aside, I also think that Debian did a very stupid thing when they
gave 'nobody' the ID of '65534', but you just have to work
around it.
I would also suggest you read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Rowland