Dear all; Would anybody be able to tell me what the idmap configuration is to have Samba do the same SID-to-user/group mapping as the SSSD defaults? I was convinced I saw it on this list or the wiki not too long ago, but I cannot seem to find it. // Best wishes; Johan
On 03/09/2020 18:04, Johan Hattne via samba wrote:> Dear all; > > Would anybody be able to tell me what the idmap configuration is to > have Samba do the same SID-to-user/group mapping as the SSSD > defaults?? I was convinced I saw it on this list or the wiki not too > long ago, but I cannot seem to find it. > > // Best wishes; Johan >If you mean the large numbers that sssd seems to use, then that is probably not possible with Samba. From my understanding, sssd uses an algorithm that uses a combination of the domain SID and the user/group RID to calculate the Unix ID, or it uses the RFC2307 attributes. Samba calculates from the user/group RID + the lower range you set in smb.conf, or it uses the RFC2307 attributes. Can I ask why you asked ? Rowland
On Thu, Sep 03, 2020 at 06:43:32PM +0100, Rowland penny via samba wrote:> On 03/09/2020 18:04, Johan Hattne via samba wrote: > > Dear all; > > > > Would anybody be able to tell me what the idmap configuration is to have > > Samba do the same SID-to-user/group mapping as the SSSD defaults?? I was > > convinced I saw it on this list or the wiki not too long ago, but I > > cannot seem to find it. > > > > // Best wishes; Johan > > > If you mean the large numbers that sssd seems to use, then that is probably > not possible with Samba. From my understanding, sssd uses an algorithm that > uses a combination of the domain SID and the user/group RID to calculate the > Unix ID, or it uses the RFC2307 attributes. Samba calculates from the > user/group RID + the lower range you set in smb.conf, or it uses the RFC2307 > attributes.Hmmm. Would it be useful to add an idmap backend that uses the same algorithm ?
On 2020-09-03 10:43, Rowland penny via samba wrote:> On 03/09/2020 18:04, Johan Hattne via samba wrote: >> Dear all; >> >> Would anybody be able to tell me what the idmap configuration is to >> have Samba do the same SID-to-user/group mapping as the SSSD >> defaults?? I was convinced I saw it on this list or the wiki not too >> long ago, but I cannot seem to find it. >> >> // Best wishes; Johan >> > If you mean the large numbers that sssd seems to use, then that is > probably not possible with Samba. From my understanding, sssd uses an > algorithm that uses a combination of the domain SID and the user/group > RID to calculate the Unix ID, or it uses the RFC2307 attributes. Samba > calculates from the user/group RID + the lower range you set in > smb.conf, or it uses the RFC2307 attributes. > > Can I ask why you asked ?This is an inherited environment originally set up with SSSD which I'd like to migrate it to winbindd. If I could find a way to match the UIDs and GIDs, that would save some time. I believe that what I see so far matches what Andrew describes: for some UID ranges, SSSD and winbind's autorid agree for others not. From this thread I gather the reason I did not find what I was initially looking for is that I had only imagined its existence. Thanks a lot for all your replies! // Cheers; Johan
On 9/3/20 1:04 PM, Johan Hattne via samba wrote:> Dear all; > > Would anybody be able to tell me what the idmap configuration is to have > Samba do the same SID-to-user/group mapping as the SSSD defaults?? I was > convinced I saw it on this list or the wiki not too long ago, but I > cannot seem to find it. > > // Best wishes; Johan ># getent group "domain users at ad.yourdomain.com" That group id - 513 is the start, and that start + 200000 (default slice size) is the end. The add: idmap config YOURDOMAIN : range = start-end idmap config YOURDOMAIN : backend = rid or try the sss idmapper, but if you are removing sssd and want to continue using the sssd range, use the rid backed Note: This works with any Samba release, even the latest ones.