Dario Lesca
2018-Nov-22 12:55 UTC
[Samba] How to set same UID and GID for ADDC server and all Member server
I have setup a ADDC Samba server and a winbind member server I have see that same user have UID/GID different from ADDC and member server # Addc (Fedora 29)[root at s-addc ~]# id d.lescauid=3000023(DOM\d.lesca) gid=100(users) gruppi=100(users),3000023(DOM\d.lesca),3000009(BUILTIN\users)[ root at s-addc ~]# rpm -q sambasamba-4.9.2-0.fc29.x86_64 # Member (Centos7)[root at s-dati ~]# id d.lescauid=1000003(d.lesca) gid=1000005(domain users) gruppi=1000005(domain users),1000001(BUILTIN\users) [root at s-dati ~]# rpm -q sambasamba-4.7.1-9.el7_5.x86_64 And if I setup another member server, the UID/GID it's still different from the other servers It's possible to set UID/GID of all member server same that assigned on the AD server? Or set a specific UID/GID to all user/group? Many thanks -- Dario Lesca (inviato dal mio Linux Fedora 28 Workstation)
Rowland Penny
2018-Nov-22 13:46 UTC
[Samba] How to set same UID and GID for ADDC server and all Member server
On Thu, 22 Nov 2018 13:55:08 +0100 Dario Lesca via samba <samba at lists.samba.org> wrote:> I have setup a ADDC Samba server and a winbind member server > > I have see that same user have UID/GID different from ADDC and > member server > > # Addc (Fedora 29)[root at s-addc ~]# id d.lescauid=3000023(DOM\d.lesca) > gid=100(users) > gruppi=100(users),3000023(DOM\d.lesca),3000009(BUILTIN\users)[ > root at s-addc ~]# rpm -q sambasamba-4.9.2-0.fc29.x86_64I do hope this is a test domain, using the standard fedora packages for a DC is considered experimental> > # Member (Centos7)[root at s-dati ~]# id d.lescauid=1000003(d.lesca) > gid=1000005(domain users) gruppi=1000005(domain > users),1000001(BUILTIN\users) > [root at s-dati ~]# rpm -q sambasamba-4.7.1-9.el7_5.x86_64 > > And if I setup another member server, the UID/GID it's still different > from the other servers > > It's possible to set UID/GID of all member server same that assigned > on the AD server?Well yes, but you don't do it that way ;-)> Or set a specific UID/GID to all user/group?Yes, it is called using rfc2307 attributes, add uidNumber & gidNumber attributes to AD and then use the winbind 'ad' backend on the Unix domain members. See here for more info: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
Dario Lesca
2018-Nov-22 16:37 UTC
[Samba] How to set same UID and GID for ADDC server and all Member server
Il giorno gio, 22/11/2018 alle 13.46 +0000, Rowland Penny via samba ha scritto:> I do hope this is a test domain, using the standard fedora packages > fora DC is considered experimentalYes, for now is a test domain, but, if it works great, why do not used it in a production environment? Why the DC Fedora Package is considered experimental? The last samba version is 4.9.2, Fedora Team have rebuild this versione and I have install this version ... without install compiler tools on my AD-DC> > Or set a specific UID/GID to all user/group? > > Yes, it is called using rfc2307 attributes, add uidNumber & > gidNumberattributes to AD and then use the winbind 'ad' backend on > the Unixdomain members. > See here for more info: > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_MemberOk, thanks, I forgot on member server to set rfc2307, and set the type of winbind backend to use. In fact, I do not need have on the DC the same IDs of members servers I will only use the Samba AD DC for authentication and will not store data on it or log into it Then I set the backend to 'rid' and I keep on every Unix domain member the same range ID. Now the [global] of my smb.conf is # Global parameters[global] printcap name = cups realm DOM.LOC security = ADS template homedir /u/samba/home/%U template shell = /bin/bash winbind enum groups = Yes winbind enum users = Yes winbind offline logon = Yes winbind use default domain = Yes workgroup DOM rpc_daemon:spoolssd = fork rpc_server:spoolss external idmap config dom:backend = rid idmap config dom:range = 1000000-3000000 idmap config dom:schema_mode rfc2307 idmap config * : range = 10000-99999 idmap config * : backend = tdb cups options = raw It's correct?In this way, I do not must set add uidNumber & gidNumber on AD ... right? Many thanks -- Dario Lesca (inviato dal mio Linux Fedora 28 Workstation)