This samba file server is a ldap client? and a AD client. So? listening port is not a problem.? I just worry about idmapping. Arnaud Le 30/03/2024 ? 09:19, Rowland Penny via samba a ?crit?:> On Thu, 28 Mar 2024 17:00:48 +0100 (CET) > Arnaud Bougeard via samba <samba at lists.samba.org> wrote: > >> Thanks Rowland for you answer. >> >> I passed the idmap config UR parameter: unix_nss_info to yes and it >> works >> >> I work in university with a large number of users. >> The RIDs which I understand like the last digits of the SID are from >> 1000 to 300000 and uid from the LDAP are from 500 to 29009894. >> >> So I don't really know what to do with it ? >> >> I modify idmap to: >> idmap config * : backend = tdb >> idmap config * : range = 16777216-33554431 >> idmap config UR : backend = ad >> idmap config UR : range = 1000-350000 >> idmap config UR : unix_nss_info = yes >> Is it good ? >> > You ignore the 'ldap', Samba will not 'talk' to it. > > You are running Samba with 'security = ADS' and it is a member of the > 'UR' NetBIOS domain. This means that 'winbind' will look for and use > the AD DCs in the 'UR' domain, it will not look for or use any other > ldap. > > You may have a problem here, AD uses the ldap ports '389', '636', > '3268' and '3269', ldap by default also uses '389' and '636'. You > cannot have two programs using the same ports. > > I think you have a couple of options here: > 1) Move everything that is in ldap to AD and then turn the ldap off. > 2) Move the ldap to another machine and then somehow sync the users > (including passwords) & groups to AD. > > Rowland >
On Sat, 30 Mar 2024 11:42:10 +0100 "arnaud.bougeard--- via samba" <samba at lists.samba.org> wrote:> This samba file server is a ldap client? and a AD client. > > So? listening port is not a problem.? I just worry about idmapping. >It cannot be both, for a start, using Samba with ldap is akin to running an NT4-style domain and that requires SMBv1, do you really want to use SMBv1 ? What you could do is, providing the ldap server is running on another machine and is running as an NT4-style PDC, set up a trust between the AD domain and the PDC. However, because your AD domain uses IDs in the 1000-300000 range and your ldap uses IDs in the 500-29009894 range, you cannot do this, the ranges overlap, more than overlap, the AD range fits inside the ldap range. From your email address, it looks like you organisation is a university and, as such, I feel you should be using best practice and that doesn't include using SMBv1 Rowland