Andreas Hasenack
2024-Jun-14 20:32 UTC
[Samba] Choosing a backend idamp and example scenarios for each one
Hi, On Fri, Jun 14, 2024 at 4:44?PM Elias Pereira via samba < samba at lists.samba.org> wrote:> hi, > > Knowing the 3 idmap backends (ad, rid and autorid) available to configure > samba as a domain member, could you give examples of scenarios in which > each backend would be more suitable? > >I also wrote some documentation for the ubuntu server guide about this, recently. Here is one point of entry: https://ubuntu.com/server/docs/choosing-an-integration-method Some more practical docs start here: https://ubuntu.com/server/docs/join-a-domain-with-winbind-preparation including a cross-forest example. The bottom of each page has a link to provide feedback.
Rowland Penny
2024-Jun-15 07:48 UTC
[Samba] Choosing a backend idamp and example scenarios for each one
On Fri, 14 Jun 2024 17:32:30 -0300 Andreas Hasenack via samba <samba at lists.samba.org> wrote:> Hi, > > On Fri, Jun 14, 2024 at 4:44?PM Elias Pereira via samba < > samba at lists.samba.org> wrote: > > > hi, > > > > Knowing the 3 idmap backends (ad, rid and autorid) available to > > configure samba as a domain member, could you give examples of > > scenarios in which each backend would be more suitable? > > > > > I also wrote some documentation for the ubuntu server guide about > this, recently. Here is one point of entry: > https://ubuntu.com/server/docs/choosing-an-integration-methodThat first one doesn't even mention idmap_ad Why do you use the range 100000 - 199999 for the default '*' domain, when this is meant for the Well Known SIDs and anything outside the 'DOMAIN' domain (which really means '0'), there are less than 200 Well Known SIDs. Wouldn't 'Not a member server' be better as 'Authentication only' with the caveat that you only run Winbind for this (which is what sssd really is). The main difference between idmap_rid and idmap_autorid is that it is easier to set up idmap_autorid, just two lines, but it will also suffer from the same problem that sssd does, if a domain gets large enough, you will get ID collisions.> > Some more practical docs start here: > https://ubuntu.com/server/docs/join-a-domain-with-winbind-preparation > including a cross-forest example.Why does Ubuntu seem to require the hostname setting to a FQDN, but Debian just requires the short hostname ? Rowland