samba - Oct 2020 - Samba as AD member & without winbind...

On 30/10/2020 11:20, Ralph Boehme wrote:
> Am 10/30/20 um 12:11 PM schrieb Rowland penny via samba:
>> On 30/10/2020 11:06, Ralph Boehme via samba wrote:
>>> Am 10/30/20 um 10:20 AM schrieb Thomas Besser via samba:
>>>> Can I configure winbind to use 'local' users and groups
from NSS?
>>> there's idmap_nss that may work for you.
>>>
>>> -slow
>> Already mentioned that, problem is it is an allocating backend, unless
I
>> am reading the manpage wrong.
> ah, missed that. :)
>
> idmap_nss is not an allocating backend, I guess the manpage text might
> be a bit misleading.
>
> -slow
>
A bit ?

'while using allocation to create new mappings'

I have never used this backend, but what you are saying is that it will 
use the SID from AD? and map this to a Unix user or group. For the OP 
this would probably entail creating Unix users & groups with the 
uidNumber or gidNumbers from LDAP. If this is the case, you might just 
as well add these *idNumbers to AD and use the winbind 'ad' backend.

Rowland

Am 30.10.20 um 12:39 schrieb Rowland penny via samba:
> 
> I have never used this backend, but what you are saying is that it will 
> use the SID from AD? and map this to a Unix user or group. For the OP 
> this would probably entail creating Unix users & groups with the 
> uidNumber or gidNumbers from LDAP. If this is the case, you might just 
> as well add these *idNumbers to AD and use the winbind 'ad'
backend.
No with this backend any user that is known to nss (also if it comes 
from LDAP) is mapped by sAMAccountName to uid. I had this working in an 
NT Style domain but never tried it with AD.

Regards

Christian

-- 
Dr. Christian Naumer
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

Am 10/30/20 um 12:39 PM schrieb Rowland penny via samba:
> On 30/10/2020 11:20, Ralph Boehme wrote:
>> Am 10/30/20 um 12:11 PM schrieb Rowland penny via samba:
>>> On 30/10/2020 11:06, Ralph Boehme via samba wrote:
>>>> Am 10/30/20 um 10:20 AM schrieb Thomas Besser via samba:
>>>>> Can I configure winbind to use 'local' users and
groups from
>>>>> NSS?
>>>> there's idmap_nss that may work for you.
>>>> 
>>>> -slow
>>> Already mentioned that, problem is it is an allocating backend,
>>> unless I am reading the manpage wrong.
>> ah, missed that. :)
>> 
>> idmap_nss is not an allocating backend, I guess the manpage text
>> might be a bit misleading.
>
> A bit ?
> 
> 'while using allocation to create new mappings'
well, the full text reads:

  This example shows how to use idmap_nss to check the local accounts
  for its own domain while using allocation to create new mappings for
  trusted domains

                [global]
                idmap config * : backend = tdb
                idmap config * : range = 1000000-1999999

                idmap config SAMBA : backend  = nss
                idmap config SAMBA : range = 1000-999999

As trusted domains are handled by the default domain *, the sentence is
correct.

Patches welcome to improve the wording. :)

-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20201030/7240a9e4/signature.sig>

On 30/10/2020 13:17, Ralph Boehme wrote:
> Am 10/30/20 um 12:39 PM schrieb Rowland penny via samba:
>> On 30/10/2020 11:20, Ralph Boehme wrote:
>>> Am 10/30/20 um 12:11 PM schrieb Rowland penny via samba:
>>>> On 30/10/2020 11:06, Ralph Boehme via samba wrote:
>>>>> Am 10/30/20 um 10:20 AM schrieb Thomas Besser via samba:
>>>>>> Can I configure winbind to use 'local' users
and groups from
>>>>>> NSS?
>>>>> there's idmap_nss that may work for you.
>>>>>
>>>>> -slow
>>>> Already mentioned that, problem is it is an allocating backend,
>>>> unless I am reading the manpage wrong.
>>> ah, missed that. :)
>>>
>>> idmap_nss is not an allocating backend, I guess the manpage text
>>> might be a bit misleading.
>> A bit ?
>>
>> 'while using allocation to create new mappings'
> well, the full text reads:
>
>    This example shows how to use idmap_nss to check the local accounts
>    for its own domain while using allocation to create new mappings for
>    trusted domains
>
>                  [global]
>                  idmap config * : backend = tdb
>                  idmap config * : range = 1000000-1999999
>
>                  idmap config SAMBA : backend  = nss
>                  idmap config SAMBA : range = 1000-999999
>
> As trusted domains are handled by the default domain *, the sentence is
> correct.
>
> Patches welcome to improve the wording. :)
>
> -slow
>
OK, before I go to the trouble of creating a patch, how about this instead:

 ? This example shows how to use idmap_nss to obtain the local account
 ? ID's for its own domain (SAMBA) from NSS, whilst allocating new mappings
 ? for the default domain (*) and any trusted domains.

Rowland