I've had some progress on this using autorid and rid. A few issues however.
My home directory and other folders grant permissions to my NIS UID, but with
Winbind, my files are written using the UID that was generated by idmap, so
files I write have a different owner or I don't have permission at all to
write to existing folders.
Winbind doesn't recognize all of my group memberships (even for non-nested
groups). I can query specific groups via wbinfo and see my name in the group,
but when I restrict a share using a flat AD group, it does not give me access.
If I share using "Domain Users", this works.
--
Shannon
-----Original Message-----
From: Rowland Penny <rpenny at samba.org>
Sent: Sunday, September 18, 2022 11:16 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4 without winbind
On 18/09/2022 16:46, Shannon Price via samba wrote:>
> Thank you for the response, Rowland. Very helpful and we would like to
move to a more modern setup.
>
> Your suggestion to move to AD means getting rid of NIS, correct? Using the
users and groups from AD rather than NIS. I agree that this would be a better
place to be, but have never been clear about the transition since our
infrastructure has been based on NIS for so long. Can I simply run some Samba
servers in the old style while converting others to all AD? Because of NFS
back-end, our multiple Samba servers can serve the same files - \\SAMBA1\homes
and \\SAMBA2\homes can all find my home directory. I think that Winbind handles
the ID mapping between SIDs and UIDs, but I have not idea how that would work
across multiple Samba servers doing things differently.
>
> --
> Shannon
>
>
Samba provides several different ways of mapping AD users & groups to Unix
ID's, the main ones are the 'autorid', 'rid' and
'ad' backends.
'autorid' is the easiest to set up, you just add a couple of lines to
the smb.conf:
idmap config * : backend = autorid
idmap config * : range = 10000-9999999
'rid' is very similar:
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-999999
Neither of the above requires adding anything to AD, the first calculates the
Unix ID from the Windows RID and allows multiple domains without any further
lines. The second again works in a similar way, but is only used for a single
domain, you can add further 'DOMAIN' lines for trusted domains.
'ad' works differently, but uses lines very similar to the 'rid'
variant (and you can add multiple domains like the 'rid' backend), there
is one big difference, you must add rfc2307 attributes to AD. This may be a way
out of your difficulties, NIS will have its own ID's and you should be able
to use these for your user & group uidNumber & gidNumber attributes.
Which ever backend you use, if you use the same basic smb.conf on every Unix
machine, you will always get the same ID's. You should also be aware that
you cannot have the same username or group name in /etc/passwd & /etc/group
that also exists in AD, the former will always be used first. My advice would be
to just have users & groups in AD, apart for one or two local Unix Admins,
just in case anything goes wrong.
If you require any further information, just ask.
Rowland