Hello, I am using Winbind and Samba to tie in Linux VMs with a Windows DC for authentication. The UIDs are automatically assigned when I create a new user in Active Directory. I need to manually change the UIDs of my users to a UID that is used on another network so they can access a specific share. How can I change the UID successfully and still be able to authenticate with the DC. Also, how can I manually assign UIDs in the future for new users? I am using Samba version 4.8 samba-winbind version 4.8 My smb.conf is below: workgroup = DOMAIN password server = server.domain.com realm = DOMIAN.com security = ads idmap config * : range = 3000-9999 idmap config * : backend = rid idmap config DOMAIN : range = 10000-19999 idmap config DOMAIN : backend = rid allow trusted domain = no template shell = /bin/bash kerberos method = secrets only winbind use default domain = true winbind offline logon = false winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes encrypt passwords = yes restrict anonymous = 2 template homedir = /home/%D/%U -- V/R Tyrus Shivers Bestgate Engineering LLC Direct: (410) 872-2457 tyrus.shivers at bestgateeng.com <tyrus.shivers at bestgateeng.com> This e-mail transmission and any documents, files or previous e-mail messages attached to it, may be privileged and confidential and is intended only for the use of the intended recipient of this message. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any review, disclosure, retention, copying, dissemination, distribution or use of any of the information contained in, or attached to this e-mail transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by return e-mail or by telephone at the above number and delete this e-mail message and its attachments.
On 05/09/2019 15:12, Tyrus Shivers via samba wrote:> Hello, > > I am using Winbind and Samba to tie in Linux VMs with a Windows DC for > authentication. The UIDs are automatically assigned when I create a new > user in Active Directory.As you are using the winbind 'rid' backend, I take it that UID == Windows SID> > I need to manually change the UIDs of my users to a UID that is used on > another network so they can access a specific share. How can I change the > UID successfully and still be able to authenticate with the DC. Also, how > can I manually assign UIDs in the future for new users?You cannot, the 'SID' will be in the format: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-RID The 'xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is what identifies the domain and the 'RID' will be (for normal users and groups) be a unique number that is equal to or larger than '1000'. if you change the 'xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' it becomes a different domain and will not be recognised by the existing domain and may cause it to fail. If you change the RID, it will become a different user, group or computer etc> My smb.conf is below: > > workgroup = DOMAIN > password server = server.domain.comRemove the password server line, you should allow Samba to find the most appropriate DC.> realm = DOMIAN.com > security = ads > idmap config * : range = 3000-9999 > idmap config * : backend = rid > idmap config DOMAIN : range = 10000-19999 > idmap config DOMAIN : backend = rid > allow trusted domain = noIf you set 'allow trusted domain = yes' (or just remove the line), then you should be able to set up a trust between your domains to do what you require.> template shell = /bin/bash > kerberos method = secrets only > winbind use default domain = true > winbind offline logon = false > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > encrypt passwords = yes > restrict anonymous = 2 > template homedir = /home/%D/%U >Rowland
Understood. Just to confirm there is no way to change the UID of users or manually assign them? When I do id "user", I get just a UID and several group IDs, I do not get anything that starts with a S. I do understand the SID from Windows is tied somehow to the UID I cannot setup a trust on my end. The remote share is managed by a different set of admins, their only option for me to connect is to have the UIDs that match their database of UIDs. It is a closed network and the UIDs they have for users is tied to a different authentication resource than our network. On Thu, Sep 5, 2019 at 10:30 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 05/09/2019 15:12, Tyrus Shivers via samba wrote: > > Hello, > > > > I am using Winbind and Samba to tie in Linux VMs with a Windows DC for > > authentication. The UIDs are automatically assigned when I create a new > > user in Active Directory. > As you are using the winbind 'rid' backend, I take it that UID => Windows SID > > > > I need to manually change the UIDs of my users to a UID that is used on > > another network so they can access a specific share. How can I change the > > UID successfully and still be able to authenticate with the DC. Also, how > > can I manually assign UIDs in the future for new users? > > You cannot, the 'SID' will be in the format: > > S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-RID > > The 'xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is what identifies the domain and > the 'RID' will be (for normal users and groups) be a unique number that > is equal to or larger than '1000'. > > if you change the 'xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' it becomes a > different domain and will not be recognised by the existing domain and > may cause it to fail. If you change the RID, it will become a different > user, group or computer etc > > > My smb.conf is below: > > > > workgroup = DOMAIN > > password server = server.domain.com > Remove the password server line, you should allow Samba to find the most > appropriate DC. > > realm = DOMIAN.com > > security = ads > > idmap config * : range = 3000-9999 > > idmap config * : backend = rid > > idmap config DOMAIN : range = 10000-19999 > > idmap config DOMAIN : backend = rid > > allow trusted domain = no > If you set 'allow trusted domain = yes' (or just remove the line), then > you should be able to set up a trust between your domains to do what you > require. > > template shell = /bin/bash > > kerberos method = secrets only > > winbind use default domain = true > > winbind offline logon = false > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = yes > > encrypt passwords = yes > > restrict anonymous = 2 > > template homedir = /home/%D/%U > > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- V/R Tyrus Shivers Bestgate Engineering LLC Direct: (410) 872-2457 tyrus.shivers at bestgateeng.com <tyrus.shivers at bestgateeng.com> This e-mail transmission and any documents, files or previous e-mail messages attached to it, may be privileged and confidential and is intended only for the use of the intended recipient of this message. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any review, disclosure, retention, copying, dissemination, distribution or use of any of the information contained in, or attached to this e-mail transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by return e-mail or by telephone at the above number and delete this e-mail message and its attachments.