On Fri, 15 May 2020, Rowland penny via samba wrote:> On 15/05/2020 16:33, Harald Hannelius wrote: >> If there's a way to copy the sambaNTPassword password-hash from the LDAP >> for the Samba 3 DC with samba-tool I would have loved to find that >> information long ago :) > Why do you need the sambaNTPassword ?So the users would have the same password. I don't have time to wait for our IDM to change the passwords one by one.>> So the "idmap config sad:range" is for both uid's and gid's? There's no >> separate range for gid's? > No, they both use the same range.I see.>> I have read these, and followed the instructions. What I don't understand >> is why one user uid 510, gid 100 works with all groups and another user >> with uid 527, gid 100 doesn't. >> >> What isn't clear is are really uid's and gid's in the same number space in >> Samba? What if a user has the same uid as a group's gid? > Because the user or group object in AD has a unique SID, this is what counts > for authentication. > > As in most cases, it looks like you might have been better off creating a > totally new AD domain with new Unix UID & GID numbers, this would have > allowed you to get away for the big mistake that was made with NT4-style > domains, using the RID as the Unix ID.That migh be true. I have two large filesystems with users and groups that would have required migration in that case. Which would have been an even greater mess I think. But since my users now have uidNumber: in AD, don't they use that as uid and not the RID? -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
On 15/05/2020 18:26, Harald Hannelius wrote:> > On Fri, 15 May 2020, Rowland penny via samba wrote: >> On 15/05/2020 16:33, Harald Hannelius wrote: >>> If there's a way to copy the sambaNTPassword password-hash from the >>> LDAP for the Samba 3 DC with samba-tool I would have loved to find >>> that information long ago :) >> Why do you need the sambaNTPassword ? > > So the users would have the same password. I don't have time to wait > for our IDM to change the passwords one by one.That is another reason to lose the IDM, AD is an IDM.> That migh be true. I have two large filesystems with users and groups > that would have required migration in that case. Which would have been > an even greater mess I think. > > But since my users now have uidNumber: in AD, don't they use that as > uid and not the RID?Yes and no ;-) The uid is used to identify the Unix user and the RID is used for authentication. Just a thought, it is possible your Samba users are using the AD password anyway. Rowland
On 15/05/2020 19:29, Harald Hannelius wrote:> > On Fri, 15 May 2020, Rowland penny via samba wrote: >> On 15/05/2020 18:26, Harald Hannelius wrote: >>> On Fri, 15 May 2020, Rowland penny via samba wrote: >>>> On 15/05/2020 16:33, Harald Hannelius wrote: >>>>> If there's a way to copy the sambaNTPassword password-hash from >>>>> the LDAP for the Samba 3 DC with samba-tool I would have loved to >>>>> find that information long ago :) >>>> Why do you need the sambaNTPassword ? >>> >>> So the users would have the same password. I don't have time to wait >>> for our IDM to change the passwords one by one. >> That is another reason to lose the IDM, AD is an IDM. > > Do You mean Azure AD? :)No, but connection to this is on the to do list.> > We have so many different systems, and sadly we have to perform some > staging of users to external pages before SAML-logins and so on that > our IDM has it's job to do.AD can do what IPA can do and more> > And even though we're moving from Samba3+OpenLDAP the OpenLDAP stays, > because we have several systems integrated against that.Probably most, if not all, could be integrated into AD> I have to look into trust relationships, but I'm not that happy about > that. Not sure if I will go that way. > > Our users and computers are sitting in our Win AD, it will sure be > interesting this. > > Previously computers happily tried with the user's password when > connecting to a share. It looks like there's a small learning curve > ahead for our users.Done correctly, your users will not notice. Rowland