Rowland Penny
2023-Mar-10 15:51 UTC
[Samba] AD Functional Level vs very old SaMBa member server
On 10/03/2023 15:20, Tam?s N?meth via samba wrote:> Well, thank you for still replying to me. The thing is that this particular > SaMBa server is THE original Linux server of my working place, hosting tons > of home made ancient perl and PHP programs written by former colleagues, > and these programs interact with the dozens of SaMBa shares. This is why we > never had the time to fully analyze its structure and upgrade it somehow > while working on other projects. That PAM SMB module is used by the web > server of the mentioned perl and PHP programs. > > Now we'd like to raise the functional level of our Windows domain, and > we're afraid, we will have to completely analyze and replace this ancient > server.I think you already know the answer to that :-|> The smb.conf is basically like the following > > [global] > netbios name = samba1 > workgroup = AD > interfaces = 192.168.0.8/24 > bind interfaces only = yes > security = domain > username level = 0 > password server = 192.168.0.8 > encrypt passwords = yes > name resolve order = wins bcast > browsable = yes > strict allocate = yes > unix extensions = no > dos charset = 852 > unix charset = ISO8859-2 > display charset = ISO8859-2 > case sensitive = no > default case = lower > preserve case = yes > short preserve case = yesIf (using 4.17.5) you remove the defaults, you get this: [global] workgroup = AD interfaces = 192.168.0.8/24 bind interfaces only = yes security = domain strict allocate = yes unix extensions = no dos charset = 852 unix charset = ISO8859-2 display charset = ISO8859-2 But that isn't enough for AD and here comes the bit that is probably going to make your hair turn white: Your users are probably in /etc/passwd, you cannot do that on a Unix domain member, all the users are in AD and winbind maps them to Unix users. Your users probably have ID's that start at '1000' and if you want to keep these ID's, then you are going to have to use the winbind 'ad' idmap backend, which means that, at a minimum, you will need to add lines like these (and add uidNumber & gidNumber attributes to AD): idmap config * : backend = tdb idmap config * : range = 1000000-999999999 idmap config AD : backend = ad idmap config AD : schema_mode = rfc2307 idmap config AD : unix_nss_info = yes idmap config AD : range = 1000-999999 Though if you do not care about the existing ID's you could use the 'rid' idmap backend: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config AD : backend = rid idmap config AD : range = 10000-999999 That will calculate the users Unix ID from the users AD RID plus 10000 You will also have to remove the users from /etc/passwd (same goes for groups). You will also have to add a line to your smb.conf: realm = YOUR.DNS.DOMAIN.IN.UPPERCASE I think that is enough for you to think about at the moment, except to ask, what do all those scripts do ? You might not need some (or all) of them with AD. Rowland
Tamás Németh
2023-Mar-10 20:35 UTC
[Samba] AD Functional Level vs very old SaMBa member server
Will I really HAVE to use the idmap backends AD or RID? I was planning to use TDB2 with a script which I've already written: [root at fs3 samba]# ./idmap.sh IDTOSID UID 1301 SID:S-1-5-21-1632654815-303659134-1628659390-1950 [root at fs3 samba]# ./idmap.sh IDTOSID GID 198 SID:S-1-5-21-1632654815-303659134-1628659390-3247 [root at fs3 samba]# ./idmap.sh SIDTOID S-1-5-21-1632654815-303659134-1628659390-1950 UID:1301 [root at fs3 samba]# ./idmap.sh SIDTOID S-1-5-21-1632654815-303659134-1628659390-3247 UID:198 It periodically collects UIDs and GID's from the ancient SaMBa, and collects SIDs with wbinfo. I hope it will ensure UIDs ang GIDs to be equal to those in /etc/passwd and /etc/group on the old server. Is it feasible to use this script with TDB2 knowing that UIDs start at 1000 and GIDs start at 100? Can the range of TDB2 be set this low? Rowland Penny via samba <samba at lists.samba.org> ezt ?rta (id?pont: 2023. m?rc. 10., P, 16:52):> > > On 10/03/2023 15:20, Tam?s N?meth via samba wrote: > > Well, thank you for still replying to me. The thing is that this > particular > > SaMBa server is THE original Linux server of my working place, hosting > tons > > of home made ancient perl and PHP programs written by former colleagues, > > and these programs interact with the dozens of SaMBa shares. This is why > we > > never had the time to fully analyze its structure and upgrade it somehow > > while working on other projects. That PAM SMB module is used by the web > > server of the mentioned perl and PHP programs. > > > > Now we'd like to raise the functional level of our Windows domain, and > > we're afraid, we will have to completely analyze and replace this ancient > > server. > > I think you already know the answer to that :-| > > > The smb.conf is basically like the following > > > > [global] > > netbios name = samba1 > > workgroup = AD > > interfaces = 192.168.0.8/24 > > bind interfaces only = yes > > security = domain > > username level = 0 > > password server = 192.168.0.8 > > encrypt passwords = yes > > name resolve order = wins bcast > > browsable = yes > > strict allocate = yes > > unix extensions = no > > dos charset = 852 > > unix charset = ISO8859-2 > > display charset = ISO8859-2 > > case sensitive = no > > default case = lower > > preserve case = yes > > short preserve case = yes > > > If (using 4.17.5) you remove the defaults, you get this: > > [global] > workgroup = AD > interfaces = 192.168.0.8/24 > bind interfaces only = yes > security = domain > strict allocate = yes > unix extensions = no > dos charset = 852 > unix charset = ISO8859-2 > display charset = ISO8859-2 > > But that isn't enough for AD and here comes the bit that is probably > going to make your hair turn white: > > Your users are probably in /etc/passwd, you cannot do that on a Unix > domain member, all the users are in AD and winbind maps them to Unix > users. Your users probably have ID's that start at '1000' and if you > want to keep these ID's, then you are going to have to use the winbind > 'ad' idmap backend, which means that, at a minimum, you will need to add > lines like these (and add uidNumber & gidNumber attributes to AD): > > idmap config * : backend = tdb > idmap config * : range = 1000000-999999999 > idmap config AD : backend = ad > idmap config AD : schema_mode = rfc2307 > idmap config AD : unix_nss_info = yes > idmap config AD : range = 1000-999999 > > Though if you do not care about the existing ID's you could use the > 'rid' idmap backend: > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config AD : backend = rid > idmap config AD : range = 10000-999999 > > That will calculate the users Unix ID from the users AD RID plus 10000 > > You will also have to remove the users from /etc/passwd (same goes for > groups). > > You will also have to add a line to your smb.conf: > realm = YOUR.DNS.DOMAIN.IN.UPPERCASE > > I think that is enough for you to think about at the moment, except to > ask, what do all those scripts do ? You might not need some (or all) of > them with AD. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- tdb2 idmap script issue
- Wheezy member Server - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- Cannot set Windows ACL security permissions Ubuntu 18.04 LXD privileged container
- Domain Member Server (wheezy) - Unable to edit permissions of share without usermapping - shall I add to Wiki?
- alloc_sub_basic: NULL source string!