samba - Mar 2019 - idmaps, again

Am 21.03.19 um 22:42 schrieb Rowland Penny via samba:
> On Thu, 21 Mar 2019 22:34:02 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> 
>> Am 21.03.19 um 19:54 schrieb Rowland Penny via samba:
>>
>>> This is one of the decisions you have to make, do you want to have
>>> the same ID's everywhere, or just on Unix domain members ?   
>>
>> We only have one Unix domain member aside from the DCs and that is the
>> samba file server.
>>
>>> Do you want to
>>> set different login shells and/or different home directories ?  
>>
>> nope
>>
>> the AD users don't do ssh or bash or so ... "only" file
access and
>> stuff like login/logout and GPOs etc
>>
>> (only I and the main admin there use ssh to the servers ...)
> 
> Then you don't really need to be using the 'ad' backend.
> 
>>
>>> If you want the same ID's everywhere and the ability to set
>>> different login shells/homedirectories for your users, then you
>>> must use the 'ad' backend, this does involve adding
uidNumber
>>> attributes to the user objects. This is what the Unix Attributes
>>> tab used to do.
>>>
>>> If none of the above applies, then you can use the 'rid'
backend,
>>> this will give you the same ID's on all Unix domain members,
but
>>> all users that connect to the computer will get the same login
>>> shell and homedirectory, you also will not have to add anything to
>>> AD.  
>>
>> And is it possible to change the backend from ad to rid with
>> reasonable effort?
> 
> Yes and then again no ;-)
> 
> Yes, it is easy to change from 'ad' to 'rid', but you would
also have
> to change the file ownerships as well.
ok, but that doesn't sound too bad: rather generic permissions there, we
could solve that with some chmod-runs, I assume.

They basically use one fat share and have rather simple ACLs in place.

Is there a specific procedure to follow for this change or is it simply
editing smb.conf on the DM, restart, and editing the permissions?

Would the users itself need some editing as well (inside LDAP/AD)?

thanks!

On Fri, 22 Mar 2019 10:38:26 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 21.03.19 um 22:42 schrieb Rowland Penny via samba:
> > On Thu, 21 Mar 2019 22:34:02 +0100
> > "Stefan G. Weichinger via samba" <samba at
lists.samba.org> wrote:
> >   
> >> Am 21.03.19 um 19:54 schrieb Rowland Penny via samba:
> >>  
> >>> This is one of the decisions you have to make, do you want to
have
> >>> the same ID's everywhere, or just on Unix domain members ?
> >>
> >> We only have one Unix domain member aside from the DCs and that is
> >> the samba file server.
> >>  
> >>> Do you want to
> >>> set different login shells and/or different home directories ?
> >>
> >> nope
> >>
> >> the AD users don't do ssh or bash or so ... "only"
file access and
> >> stuff like login/logout and GPOs etc
> >>
> >> (only I and the main admin there use ssh to the servers ...)  
> > 
> > Then you don't really need to be using the 'ad' backend.
> >   
> >>  
> >>> If you want the same ID's everywhere and the ability to
set
> >>> different login shells/homedirectories for your users, then
you
> >>> must use the 'ad' backend, this does involve adding
uidNumber
> >>> attributes to the user objects. This is what the Unix
Attributes
> >>> tab used to do.
> >>>
> >>> If none of the above applies, then you can use the
'rid' backend,
> >>> this will give you the same ID's on all Unix domain
members, but
> >>> all users that connect to the computer will get the same login
> >>> shell and homedirectory, you also will not have to add
anything to
> >>> AD.    
> >>
> >> And is it possible to change the backend from ad to rid with
> >> reasonable effort?  
> > 
> > Yes and then again no ;-)
> > 
> > Yes, it is easy to change from 'ad' to 'rid', but you
would also
> > have to change the file ownerships as well.  
> 
> ok, but that doesn't sound too bad: rather generic permissions there,
> we could solve that with some chmod-runs, I assume.
> 
> They basically use one fat share and have rather simple ACLs in place.
It only really gets complicated if you have multiple shares and lots of
users.
> 
> Is there a specific procedure to follow for this change or is it
> simply editing smb.conf on the DM, restart, and editing the
> permissions?
Yes, that is basically it, the only thing I would add is to run 'net
cache flush' after restarting Samba.
> 
> Would the users itself need some editing as well (inside LDAP/AD)?
This is really up to you, you could, if you so wish, remove all the
rfc2307 attributes from AD, or you could just ignore them.

Rowland

Am 22.03.19 um 11:01 schrieb Rowland Penny via samba:
>> Would the users itself need some editing as well (inside LDAP/AD)?
> 
> This is really up to you, you could, if you so wish, remove all the
> rfc2307 attributes from AD, or you could just ignore them.
nice. sounds like my weekend project ;-)   *sigh*

thanks a lot ... will check my backups asap