On Fri, Sep 6, 2019 at 2:55 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 05/09/2019 22:45, Roy Eastwood wrote: > > Rowland, > > I must be missing something here. Why can't the OP set the UID in ADUC > to match that required in the other system? The Samba > > Domain member can use the ad backend, (rather than the rid), and no > doubt file permissions will have to be readjusted accordingly, > > but at least the UID's will match the other system. The Windows DC > doesn't care about the RFC2307 attributes, so that shouldn't be > > affected. > > > It all depends on your definition of 'UID' ;-) > > The OP is using the winbind 'rid' backend and as such, is unlikely to > have uidNumber & gidNumber attributes in AD. He also hasn't told us just > what he is trying to connect to. >I am trying to connect to a shared drive ( I believe it is Windows based) on another Domain which we have access to (created by their admins) which has different UID for our users that match their authenticating source. Since all of these networks are closed, I am limited to what I can do in terms of just opening them up for access, etc. Our linux vm's cannot mount that share because we do not have permissions and that is because the UID is different.> > Just changing what 'id' or 'getent' produces is unlikely to be enough > if he is trying to connect from one AD domain to another e.g. changing a > user in the 'SAMDOM' domains UID from 1234 to 4321 would still make the > user a member of the 'SAMDOM' domain, but it would make the user a new > user. >I did make attempts at the previously and you are correct it does not work properly.> > What I also cannot understand why he cannot sort this out himself, try > going to 'www.bestgateeng.com' >I am not sure what you mean or are referring to by that statement. This system was passed off to me, I have no access to the previous admins or documentation on how and why everything is setup the way it is. After exhausting what I know I came here to ask a question to see if I perhaps missed something.> > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- V/R Tyrus Shivers Bestgate Engineering LLC Direct: (410) 872-2457 tyrus.shivers at bestgateeng.com <tyrus.shivers at bestgateeng.com> This e-mail transmission and any documents, files or previous e-mail messages attached to it, may be privileged and confidential and is intended only for the use of the intended recipient of this message. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any review, disclosure, retention, copying, dissemination, distribution or use of any of the information contained in, or attached to this e-mail transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by return e-mail or by telephone at the above number and delete this e-mail message and its attachments.
On 06/09/2019 15:56, Tyrus Shivers wrote:> > > On Fri, Sep 6, 2019 at 2:55 AM Rowland penny via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > On 05/09/2019 22:45, Roy Eastwood wrote: > > Rowland, > > I must be missing something here.? Why can't the OP set the UID > in ADUC to match that required in the other system? The Samba > > Domain member can use the ad backend, (rather than the rid), and > no doubt file permissions will have to be readjusted accordingly, > > but at least the UID's will match the other system. ?The Windows > DC doesn't care about the RFC2307 attributes, so that shouldn't be > > affected. > > > It all depends on your definition of 'UID' ;-) > > The OP is using the winbind 'rid' backend and as such, is unlikely to > have uidNumber & gidNumber attributes in AD. He also hasn't told > us just > what he is trying to connect to. > > > I am trying to connect to a shared drive ( I believe it is Windows > based) on another Domain which we have access to (created by their > admins) which has different UID for our users that match their > authenticating source. Since all of these networks are closed, I am > limited to what I can do in terms of just opening them up for access, > etc.? Our linux vm's cannot mount that share because we do not have > permissions and that is because the UID is different.I think you would need Guest access on the shared drive, but by default, the Guest user is turned off on Windows 10.> > > Just changing what 'id' or 'getent'? produces is unlikely to be > enough > if he is trying to connect from one AD domain to another e.g. > changing a > user in the 'SAMDOM' domains UID from 1234 to 4321 would still > make the > user a member of the 'SAMDOM' domain, but it would make the user a > new user. > > > I did make attempts at the previously and you are correct it does not > work properly.It wouldn't ;-)> > What I also cannot understand why he cannot sort this out himself, > try > going to 'www.bestgateeng.com <http://www.bestgateeng.com>' > > > I am not sure what you mean or are referring to by that statement. > This system was passed off to me, I have no access to the previous > admins or documentation on how and why everything is setup the way it > is. After exhausting what I know I came here to ask a question to see > if I perhaps missed something.Bestgate Engineering is committed to bringing the best, brightest, and most passionate software and systems engineers to solve our customers' most difficult and challenging technical problems. Does the above look familiar ???? I get the feeling that you are possibly trying to read data from one customers domain into another domain. If you aren't, you should have no problem setting up trusts between the domains. If you are and the customer is in the EU, then you are potentially breaking EU law. You cannot make a user in one domain into a user in another domain, but you can get a domain to trust users from another domain. Rowland
On Fri, Sep 6, 2019 at 11:12 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 06/09/2019 15:56, Tyrus Shivers wrote: > > > > > > On Fri, Sep 6, 2019 at 2:55 AM Rowland penny via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > > > On 05/09/2019 22:45, Roy Eastwood wrote: > > > Rowland, > > > I must be missing something here. Why can't the OP set the UID > > in ADUC to match that required in the other system? The Samba > > > Domain member can use the ad backend, (rather than the rid), and > > no doubt file permissions will have to be readjusted accordingly, > > > but at least the UID's will match the other system. The Windows > > DC doesn't care about the RFC2307 attributes, so that shouldn't be > > > affected. > > > > > It all depends on your definition of 'UID' ;-) > > > > The OP is using the winbind 'rid' backend and as such, is unlikely to > > have uidNumber & gidNumber attributes in AD. He also hasn't told > > us just > > what he is trying to connect to. > > > > > > I am trying to connect to a shared drive ( I believe it is Windows > > based) on another Domain which we have access to (created by their > > admins) which has different UID for our users that match their > > authenticating source. Since all of these networks are closed, I am > > limited to what I can do in terms of just opening them up for access, > > etc. Our linux vm's cannot mount that share because we do not have > > permissions and that is because the UID is different. > I think you would need Guest access on the shared drive, but by default, > the Guest user is turned off on Windows 10. > > > > > > Just changing what 'id' or 'getent' produces is unlikely to be > > enough > > if he is trying to connect from one AD domain to another e.g. > > changing a > > user in the 'SAMDOM' domains UID from 1234 to 4321 would still > > make the > > user a member of the 'SAMDOM' domain, but it would make the user a > > new user. > > > > > > I did make attempts at the previously and you are correct it does not > > work properly. > > It wouldn't ;-) > > > > > What I also cannot understand why he cannot sort this out himself, > > try > > going to 'www.bestgateeng.com <http://www.bestgateeng.com>' > > > > > > I am not sure what you mean or are referring to by that statement. > > This system was passed off to me, I have no access to the previous > > admins or documentation on how and why everything is setup the way it > > is. After exhausting what I know I came here to ask a question to see > > if I perhaps missed something. > > Bestgate Engineering is committed to bringing the best, brightest, and > most passionate software and systems engineers to solve our customers' > most difficult and challenging technical problems. > > Does the above look familiar ???? >Yes, does not mean every person is an expert in everything :)> > I get the feeling that you are possibly trying to read data from one > customers domain into another domain. If you aren't, you should have no > problem setting up trusts between the domains. If you are and the > customer is in the EU, then you are potentially breaking EU law. >That is what I am trying to do. I cannot setup a trust because I do not control both domains (I have submitted a request for the admins of the other domain to assist). I am not in the EU and I know for a fact I am not breaking any laws. The way our networks and partners networks are setup isn't easily explained and I apologize for that vagueness.> > You cannot make a user in one domain into a user in another domain, but > you can get a domain to trust users from another domain. >I understand that. I just wanted to be sure there was nothing missing from what I already tried and you have answered that question.> > Rowland > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- V/R Tyrus Shivers Bestgate Engineering LLC Direct: (410) 872-2457 tyrus.shivers at bestgateeng.com <tyrus.shivers at bestgateeng.com> This e-mail transmission and any documents, files or previous e-mail messages attached to it, may be privileged and confidential and is intended only for the use of the intended recipient of this message. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any review, disclosure, retention, copying, dissemination, distribution or use of any of the information contained in, or attached to this e-mail transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by return e-mail or by telephone at the above number and delete this e-mail message and its attachments.