samba - Jun 2020 - Is Samba 4.9 and "map untrusted to domain" possible anymore?

On Thu, 4 Jun 2020, Rowland penny via samba wrote:
> On 04/06/2020 13:49, Harald Hannelius via samba wrote:
>> 
>> Question 2)
>> Does a windows client behave differently when speaking to a NT4-domain
or
>> an
>> AD-domain in how they try passwords? I have a feeling that users in the
>> "AD"-domain didn't need to (manually at least) enter any
passwords to get
>> their drives mapped from the "Samba" domain. "It just
worked".
> An NT4-style domain relies on SMBv1 which Windows (and Samba) no longer
wants
> you to use. The latest Samba versions use a minimum of SMBv2 by default.
Thanks, now I remember.
>> Question 3)
>> If I would enable trust between "AD" and "SAD",
would users trying to
>> access files on a Samba fileserver be mapped to the uidNumber in
"SAD" DS?
>> Or would they be mapped to something entirely else? I'm not really 
>> understanding the idmap and identities it seems.
> No, you would have to give one set of users new uidNumbers and create
another
> 'idmap config' block in smb.conf. You could use autorid instead,
but this
> would mean totally new ID's everywhere.
So the best way for me would be to implement the RFC2307/SFU schema in the 
Windows AD "AD", add the same uidNumber for every user in
"AD" as they had
in the old "Samba" domain, and then just join the fileservers to the
"AD"
domain?

Then I change the map-range to be like it was for the "SAD" domain.

It's more like migrating filesystems with users and groups tied to files 
than just migrating users.

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

On 04/06/2020 14:46, Harald Hannelius via samba wrote:
>
> So the best way for me would be to implement the RFC2307/SFU schema in 
> the Windows AD "AD", add the same uidNumber for every user in
"AD" as
> they had in the old "Samba" domain, and then just join the
fileservers
> to the "AD" domain?
>
> Then I change the map-range to be like it was for the "SAD"
domain.
>
> It's more like migrating filesystems with users and groups tied to 
> files than just migrating users.
Yes you could do that, but don't forget groups as well and if you do not 
have any groups (usergroups count as no groups), ensure that Domain 
Users has a gidNumber inside whatever range you end up with.

Rowland

On Thu, 4 Jun 2020, Rowland penny via samba wrote:
> On 04/06/2020 14:46, Harald Hannelius via samba wrote:
>> 
>> So the best way for me would be to implement the RFC2307/SFU schema in
the
>> Windows AD "AD", add the same uidNumber for every user in
"AD" as they had
>> in the old "Samba" domain, and then just join the fileservers
to the "AD"
>> domain?
>> 
>> Then I change the map-range to be like it was for the "SAD"
domain.
>> 
>> It's more like migrating filesystems with users and groups tied to
files
>> than just migrating users.
>
> Yes you could do that, but don't forget groups as well and if you do
not have
> any groups (usergroups count as no groups), ensure that Domain Users has a 
> gidNumber inside whatever range you end up with.
Ouch. I forgot my groups. Have to calculate them in as well.

And another ouch is I would not be able to utilize my Samba AD which I like 
much better than the Windows version.

If I remember correctly, there's no additional idmap range for groups but 
they are rather inside the same numeric range as users in AD? So I now have 
duplicate idmap numbers because they originate from users and groups?


I appreciate your help.

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020