On Sunday, 3 November 2019 01:41:18 PST Rowland penny via samba wrote:> As I said, you cannot use 'winbind use default domain = yes' with > 'autorid', it makes all users and groups members of the same domain, > this is probably what has happened here. > > Remove the line, this should stop it happening again > > If you have only one domain, then you shouldn't be using autorid, you > should be using rid instead, unfortunately it is probably too late now. >Is it OK to use autorid for * when you have rid configured for the domain of your primary user on a given machine? E.g., if there is a forest of, say, users.example.com, dom1.example.com, dom2.example.com, and the primary user of the machine is in users.example.com, is it OK to have config like this: idmap config * : backend = autorid idmap config * : range = <range> idmap config * : rangesize = <subrange> idmap config USERS : backend = rid idmap config USERS : range = <range> If yes, what about the same config for the case when USERS (users.example.com) is the only domain? My understanding is in a single domain situation this config shouldn't cause any issues with 'winbind use default domain = true', and in the multiple domains situation this would cause trouble authenticating users from domains other than USERS but should work OK for the primary domain, is that correct? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20191104/ee927459/signature.sig>
On 04/11/2019 18:52, Alexey A Nikitin wrote:> On Sunday, 3 November 2019 01:41:18 PST Rowland penny via samba wrote: >> As I said, you cannot use 'winbind use default domain = yes' with >> 'autorid', it makes all users and groups members of the same domain, >> this is probably what has happened here. >> >> Remove the line, this should stop it happening again >> >> If you have only one domain, then you shouldn't be using autorid, you >> should be using rid instead, unfortunately it is probably too late now. >> > Is it OK to use autorid for * when you have rid configured for the domain of your primary user on a given machine? E.g., if there is a forest of, say, users.example.com, dom1.example.com, dom2.example.com, and the primary user of the machine is in users.example.com, is it OK to have config like this: > idmap config * : backend = autorid > idmap config * : range = <range> > idmap config * : rangesize = <subrange> > idmap config USERS : backend = rid > idmap config USERS : range = <range> > > If yes, what about the same config for the case when USERS (users.example.com) is the only domain? My understanding is in a single domain situation this config shouldn't cause any issues with 'winbind use default domain = true', and in the multiple domains situation this would cause trouble authenticating users from domains other than USERS but should work OK for the primary domain, is that correct?There is no point in using 'rid' with 'autorid', they both do the same thing, they map users using the users SID. If you have multiple domains, then the easiest way to set up smb.conf is by using using 'autorid', elsewise you would have to set up multiple 'idmap config' blocks for each domain. If you only have one domain, then you could use the 'ad' or 'rid' winbind backend. If you do not use the DC as a fileserver, then the 'rid' backend is probably the one to use, this way you do not have to add anything to AD. If you want to have the same ID everywhere (you are using the DC as a fileserver) then you will have to use the winbind 'ad' backend and add RFC2307 attributes to AD. Rowland
On Tuesday, 5 November 2019 01:37:15 PST Rowland penny via samba wrote:> On 04/11/2019 18:52, Alexey A Nikitin wrote: > > On Sunday, 3 November 2019 01:41:18 PST Rowland penny via samba wrote: > >> As I said, you cannot use 'winbind use default domain = yes' with > >> 'autorid', it makes all users and groups members of the same domain, > >> this is probably what has happened here. > >> > >> Remove the line, this should stop it happening again > >> > >> If you have only one domain, then you shouldn't be using autorid, you > >> should be using rid instead, unfortunately it is probably too late now. > >> > > Is it OK to use autorid for * when you have rid configured for the domain of your primary user on a given machine? E.g., if there is a forest of, say, users.example.com, dom1.example.com, dom2.example.com, and the primary user of the machine is in users.example.com, is it OK to have config like this: > > idmap config * : backend = autorid > > idmap config * : range = <range> > > idmap config * : rangesize = <subrange> > > idmap config USERS : backend = rid > > idmap config USERS : range = <range> > > > > If yes, what about the same config for the case when USERS (users.example.com) is the only domain? My understanding is in a single domain situation this config shouldn't cause any issues with 'winbind use default domain = true', and in the multiple domains situation this would cause trouble authenticating users from domains other than USERS but should work OK for the primary domain, is that correct? > > There is no point in using 'rid' with 'autorid', they both do the same > thing, they map users using the users SID. > > If you have multiple domains, then the easiest way to set up smb.conf is > by using using 'autorid', elsewise you would have to set up multiple > 'idmap config' blocks for each domain. > > If you only have one domain, then you could use the 'ad' or 'rid' > winbind backend. If you do not use the DC as a fileserver, then the > 'rid' backend is probably the one to use, this way you do not have to > add anything to AD. > > If you want to have the same ID everywhere (you are using the DC as a > fileserver) then you will have to use the winbind 'ad' backend and add > RFC2307 attributes to AD. > > Rowland > > > >In my case I have no control over the domain, and I have neither control nor knowledge ahead of time whether there is one domain or whole forest of domains or even cross-forest trust relationships, all I know is the name of the domain where the primary user of a given machine resides. Because I have no control over the domain I cannot make use of RFC2307 attributes and 'ad' backend, because I don't know the number of the domains I have to use 'autorid' backend, or so I understand so far. You're saying that if there is only one domain then 'autorid' should not be used. Is it because of technical reasons, or simply because it is an overkill for single domain use case? IIRC earlier you (or someone else) said that there is a way to allocate subrange for a given domain with autorid before anyone from that domain authenticates on the machine (I have the notes, I'm just to lazy to pull them up right now), my understanding is that with that approach I can use 'autorid' backend regardless of the number of the domains in a forest. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20191105/09b00cb9/signature.sig>