Harald Hannelius
2020-Jun-04 13:46 UTC
[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?
On Thu, 4 Jun 2020, Rowland penny via samba wrote:> On 04/06/2020 13:49, Harald Hannelius via samba wrote: >> >> Question 2) >> Does a windows client behave differently when speaking to a NT4-domain or >> an >> AD-domain in how they try passwords? I have a feeling that users in the >> "AD"-domain didn't need to (manually at least) enter any passwords to get >> their drives mapped from the "Samba" domain. "It just worked". > An NT4-style domain relies on SMBv1 which Windows (and Samba) no longer wants > you to use. The latest Samba versions use a minimum of SMBv2 by default.Thanks, now I remember.>> Question 3) >> If I would enable trust between "AD" and "SAD", would users trying to >> access files on a Samba fileserver be mapped to the uidNumber in "SAD" DS? >> Or would they be mapped to something entirely else? I'm not really >> understanding the idmap and identities it seems. > No, you would have to give one set of users new uidNumbers and create another > 'idmap config' block in smb.conf. You could use autorid instead, but this > would mean totally new ID's everywhere.So the best way for me would be to implement the RFC2307/SFU schema in the Windows AD "AD", add the same uidNumber for every user in "AD" as they had in the old "Samba" domain, and then just join the fileservers to the "AD" domain? Then I change the map-range to be like it was for the "SAD" domain. It's more like migrating filesystems with users and groups tied to files than just migrating users. -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
Rowland penny
2020-Jun-04 13:59 UTC
[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?
On 04/06/2020 14:46, Harald Hannelius via samba wrote:> > So the best way for me would be to implement the RFC2307/SFU schema in > the Windows AD "AD", add the same uidNumber for every user in "AD" as > they had in the old "Samba" domain, and then just join the fileservers > to the "AD" domain? > > Then I change the map-range to be like it was for the "SAD" domain. > > It's more like migrating filesystems with users and groups tied to > files than just migrating users.Yes you could do that, but don't forget groups as well and if you do not have any groups (usergroups count as no groups), ensure that Domain Users has a gidNumber inside whatever range you end up with. Rowland
Harald Hannelius
2020-Jun-04 14:07 UTC
[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?
On Thu, 4 Jun 2020, Rowland penny via samba wrote:> On 04/06/2020 14:46, Harald Hannelius via samba wrote: >> >> So the best way for me would be to implement the RFC2307/SFU schema in the >> Windows AD "AD", add the same uidNumber for every user in "AD" as they had >> in the old "Samba" domain, and then just join the fileservers to the "AD" >> domain? >> >> Then I change the map-range to be like it was for the "SAD" domain. >> >> It's more like migrating filesystems with users and groups tied to files >> than just migrating users. > > Yes you could do that, but don't forget groups as well and if you do not have > any groups (usergroups count as no groups), ensure that Domain Users has a > gidNumber inside whatever range you end up with.Ouch. I forgot my groups. Have to calculate them in as well. And another ouch is I would not be able to utilize my Samba AD which I like much better than the Windows version. If I remember correctly, there's no additional idmap range for groups but they are rather inside the same numeric range as users in AD? So I now have duplicate idmap numbers because they originate from users and groups? I appreciate your help. -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
Reasonably Related Threads
- Is Samba 4.9 and "map untrusted to domain" possible anymore?
- Is Samba 4.9 and "map untrusted to domain" possible anymore?
- Is Samba 4.9 and "map untrusted to domain" possible anymore?
- 3.6.6 map untrusted to domain does not work if winbind is running
- Wrong password, Win10 not using SMB3_11?