samba - Feb 2023 - idmap ad question

On 14/02/2023 11:41, Vaughan, Robert J via samba wrote:
> I am the UNIX admin and don't have a use for all domain users group
since all domain users won't be UNIX (or SAMBA) users
Your decision.
> 
> What do you mean by "It isn't as if you can have a user group with
the same name as the user"?  We currently do have group names in UNIX
(local and in LDAP) that are the same as a user (not a real person, but a
shared/admin type account for an application) - is there some problem for AD
with that?  I thought all it cared about was the SID?
In AD, all names must be unique, you cannot have a user called 'fred' 
and a group called 'fred'

You also shouldn't have a local Unix user (one in /etc/passwd) called 
'fred' and another user in AD called 'fred'. Depending on where 
'winbind' appears in the passwd line in /etc/nsswitch will decide which 
user will be used, they will never be the same user.

If you do want usergroups, then there is only one way, use the 'rid' 
idmap backend and you will get synthetic usergroups, the group isn't 
stored anywhere, the 'rid' idmap backend creates it on the fly.
The downside of using the 'rid' idmap backend is, every AD user and 
group becomes a Unix user or group.

Now, can I ask what you are actually trying to achieve ?
What is the application ?

I can then try to advise you if it is possible and if you should be 
doing it.

Rowland

On 14/02/2023 11:41, Vaughan, Robert J via samba wrote:
> I am the UNIX admin and don't have a use for all domain users group
since all domain users won't be UNIX (or SAMBA) users
>>Your decision.
> 
> What do you mean by "It isn't as if you can have a user group with
the same name as the user"?  We currently do have group names in UNIX
(local and in LDAP) that are the same as a user (not a real person, but a
shared/admin type account for an application) - is there some problem for AD
with that?  I >thought all it cared about was the SID?
>>In AD, all names must be unique, you cannot have a user called
'fred'
>>and a group called 'fred'
>>You also shouldn't have a local Unix user (one in /etc/passwd)
called
>>'fred' and another user in AD called 'fred'. Depending
on where
>>'winbind' appears in the passwd line in /etc/nsswitch will
decide which
>>user will be used, they will never be the same user.
>>If you do want usergroups, then there is only one way, use the
'rid'
>>idmap backend and you will get synthetic usergroups, the group isn't
>>stored anywhere, the 'rid' idmap backend creates it on the fly.
>>The downside of using the 'rid' idmap backend is, every AD user
and
>>group becomes a Unix user or group.
We created the groups we have in UNIX LDAP in AD, gave them the same gidNumber,
this seems to work?
>>Now, can I ask what you are actually trying to achieve ?
>>What is the application ?
We will be migrating our UNIX LDAP to AD.  Our UNIX LDAP is used by a few
Windows users for shell logins, and by quite a few for SAMBA.  Our environment
is Solaris and Red Hat, with Solaris being replaced by Red Hat.

The users don't have Linux workstations

Right now production is still using UNIX LDAP

AD DC are all Windows and managed by another team.  All the users use AD for
their Windows client.

All users are assigned UID by the corp

I am testing a Red Hat SAMBA domain member in two modes (via snapshots I can
switch back and forth), one with winbind only, and one with winbind using sssd

Thanks,

Robert Vaughan

----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended
recipient only and may contain confidential and privileged information.  No one
else may read, print, store, copy, forward or act in reliance on it or its
attachments.  If you are not the intended recipient, please return this message
to the sender and delete the message and any attachments from your computer.
Your cooperation is appreciated.