Rowland Penny
2024-Jun-15 07:48 UTC
[Samba] Choosing a backend idamp and example scenarios for each one
On Fri, 14 Jun 2024 17:32:30 -0300 Andreas Hasenack via samba <samba at lists.samba.org> wrote:> Hi, > > On Fri, Jun 14, 2024 at 4:44?PM Elias Pereira via samba < > samba at lists.samba.org> wrote: > > > hi, > > > > Knowing the 3 idmap backends (ad, rid and autorid) available to > > configure samba as a domain member, could you give examples of > > scenarios in which each backend would be more suitable? > > > > > I also wrote some documentation for the ubuntu server guide about > this, recently. Here is one point of entry: > https://ubuntu.com/server/docs/choosing-an-integration-methodThat first one doesn't even mention idmap_ad Why do you use the range 100000 - 199999 for the default '*' domain, when this is meant for the Well Known SIDs and anything outside the 'DOMAIN' domain (which really means '0'), there are less than 200 Well Known SIDs. Wouldn't 'Not a member server' be better as 'Authentication only' with the caveat that you only run Winbind for this (which is what sssd really is). The main difference between idmap_rid and idmap_autorid is that it is easier to set up idmap_autorid, just two lines, but it will also suffer from the same problem that sssd does, if a domain gets large enough, you will get ID collisions.> > Some more practical docs start here: > https://ubuntu.com/server/docs/join-a-domain-with-winbind-preparation > including a cross-forest example.Why does Ubuntu seem to require the hostname setting to a FQDN, but Debian just requires the short hostname ? Rowland
Elias Pereira
2024-Jun-20 00:12 UTC
[Samba] Choosing a backend idamp and example scenarios for each one
Thank you all!!!! Great content!!! Speaking of scenarios... What would be the best backend for? Scenario 1: 3 DCs and 1 fileserver 2800 users Scenario 2: 4 DCs and 2 fileserver 2800+ users On Sat, Jun 15, 2024 at 4:49?AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 14 Jun 2024 17:32:30 -0300 > Andreas Hasenack via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > On Fri, Jun 14, 2024 at 4:44?PM Elias Pereira via samba < > > samba at lists.samba.org> wrote: > > > > > hi, > > > > > > Knowing the 3 idmap backends (ad, rid and autorid) available to > > > configure samba as a domain member, could you give examples of > > > scenarios in which each backend would be more suitable? > > > > > > > > I also wrote some documentation for the ubuntu server guide about > > this, recently. Here is one point of entry: > > https://ubuntu.com/server/docs/choosing-an-integration-method > > That first one doesn't even mention idmap_ad > > Why do you use the range 100000 - 199999 for the default '*' domain, > when this is meant for the Well Known SIDs and anything outside the > 'DOMAIN' domain (which really means '0'), there are less than 200 Well > Known SIDs. > > Wouldn't 'Not a member server' be better as 'Authentication > only' with the caveat that you only run Winbind for this (which is what > sssd really is). > > The main difference between idmap_rid and idmap_autorid is that it is > easier to set up idmap_autorid, just two lines, but it will also suffer > from the same problem that sssd does, if a domain gets large enough, > you will get ID collisions. > > > > > Some more practical docs start here: > > https://ubuntu.com/server/docs/join-a-domain-with-winbind-preparation > > including a cross-forest example. > > Why does Ubuntu seem to require the hostname setting to a FQDN, but > Debian just requires the short hostname ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira