Hi So I added a second DC with the rfc2307 option. It replicates and I auth works. yay.>> Does this also mean that the member server that will act as a file >> server should have idmap config = ad?> Only if you have manually added uidNumber & gidNumber attributes to ADI belive the microsoft admin tools have always been used to add users and groups Is 'idmap rid' a better choice than ad? Can I still copy files with rsync in that case or will file ownership be mangled?>> >> The documentation is not clear to me, in the wiki for setting up a >> domain controller it is recommended to use rfc2307 but in the wiki on >> how to set that up it is recommended to _not_ use rfc2307 in a DC.> No, I think you mean that you should provision with 'use-rfc2307' but it > is not recommended to use a DC as a fileserver.As I already added the new DC, this doesn't matter anymore. However: 'When provisioning a new AD, it is recommended to enable the NIS extensions by passing the --use-rfc2307 parameter ...' from: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller and 'It is recommended not to use those mappings on the DCs' from: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD Thanks for your input, much appreciated! -Mark-
On Mon, 26 Nov 2018 15:27:28 +0100 Mark Amundsen via samba <samba at lists.samba.org> wrote:> Hi > > So I added a second DC with the rfc2307 option. It replicates and I > auth works. yay.> >> Does this also mean that the member server that will act as a file > >> server should have idmap config = ad? > > > Only if you have manually added uidNumber & gidNumber attributes to > > AD > > I belive the microsoft admin tools have always been used to add users > and groupsUnless the 'UNIX Attributes' tab was also used, then they will not be there.> > Is 'idmap rid' a better choice than ad? Can I still copy files with > rsync in that case or will file ownership be mangled?Quantify better ? One isn't really better than the other, they are both usable, but in different ways and reasons. It might help if you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member> > > > >> > >> The documentation is not clear to me, in the wiki for setting up a > >> domain controller it is recommended to use rfc2307 but in the wiki > >> on how to set that up it is recommended to _not_ use rfc2307 in a > >> DC. > > > No, I think you mean that you should provision with 'use-rfc2307' > > but it is not recommended to use a DC as a fileserver. > > As I already added the new DC, this doesn't matter anymore. However: > > 'When provisioning a new AD, it is recommended to enable the NIS > extensions by passing the --use-rfc2307 parameter ...' from: > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > > and > 'It is recommended not to use those mappings on the DCs' > from: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_ADI have updated the last page, hopefully it is now more understandable. Rowland
> > > > Is 'idmap rid' a better choice than ad? Can I still copy files with > > rsync in that case or will file ownership be mangled? > > Quantify better ? > One isn't really better than the other, they are both usable, but in > different ways and reasons. > It might help if you read this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_MemberI've read it several times, but i start to think that I simply don't understand the concepts. The old server does not have idmap config in the smb.conf (because it is a DC, right?). If I ls a file in the old fileserver, it looks like this: -rwxrwx---+ 1 3000148 users 31M sep 19 15:16 10160-101.zip So, 3000248 is a UID. If I use winbind 'rid' backend and copy the file above to the new server with rsync it will keep 3000148 as owner, but will 3000148 be connected to the same login on both servers? I think that I'll just add a testserver to find out how it works. [global] security = ADS workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 3000000-3999999 Will that do (but replace SAMDOM with my realm)? -Mark-