samba - Jun 2024 - use of ‘idmap_ldb:use rfc2307 = yes’ in DCs

On Thu, 20 Jun 2024 12:59:58 +0200
Olaf Fr?czyk via samba <samba at lists.samba.org> wrote:
> I use uids from this range for many, many years, since samba 3. :)
Which unfortunately was a bad idea, using Samba IDs that start at
'1000' means that you cannot have ANY local users. What happens if you
have AD problems and your users & groups cannot be resolved from AD,
how do you fix it ? Especially on distros like Ubuntu that only use
sudo ?
> 
> And I want/need to use this range - to change it now would be a mess. 
> And I need to be able to set them manually, not in an automatic way.
It is totally your decision what range to use and yes, it wouldn't be
easy to change individual Unix domain members.
There is no way to set uidNumber & gidNumber attributes automatically,
you must supply them manually.
> 
> By server I mean a domain member server.
> 
> So on samba DC I have: "idmap_ldb:use rfc2307 = yes"
> 
> And on a samba domain member server (that serves files to clients) I
> have
> 
> idmap config * : backend = tdb
>   ??? idmap config * : range = 20000-20999
>   ??? idmap config NAVIDOM:backend = ad
>   ??? idmap config NAVIDOM:schema_mode = rfc2307
>   ??? idmap config NAVIDOM:range = 1000-9999
>   ??? idmap config NAVIDOM:unix_nss_info = yes
>   ??? idmap config NAVIDOM:unix_primary_group = yes
>   ??? winbind use default domain = yes
>   ??? winbind nss info = rfc2307
> 
> So to summarize:
> 
> In order to use it this way - do I need the "idmap_ldb:use rfc2307 = 
> yes" on DC or not?
> 
In one word, NO.

Rowland

On 2024-06-20 13:13, Rowland Penny via samba wrote:
> On Thu, 20 Jun 2024 12:59:58 +0200
> Olaf Fr?czyk via samba <samba at lists.samba.org> wrote:
>
>> I use uids from this range for many, many years, since samba 3. :)
> Which unfortunately was a bad idea, using Samba IDs that start at
> '1000' means that you cannot have ANY local users. What happens if
you
> have AD problems and your users & groups cannot be resolved from AD,
> how do you fix it ? Especially on distros like Ubuntu that only use
> sudo ?
The only local user I need for this setup is root. And I don't have 
problem to login as root - I use Almalinux there.

And, if really needed, I can assign an uidNumber for local unix user in 
a way that doesn't overlap with the ones used by samba - eg 10000 and above.

This samba uidNumbers are from times, when local linux users started 
from 500 and I assumed that starting 1000 for samba will be enough, this 
was 20 years ago or more.
>
>> And I want/need to use this range - to change it now would be a mess.
>> And I need to be able to set them manually, not in an automatic way.
> It is totally your decision what range to use and yes, it wouldn't be
> easy to change individual Unix domain members.
> There is no way to set uidNumber & gidNumber attributes automatically,
> you must supply them manually.
>
>> By server I mean a domain member server.
>>
>> So on samba DC I have: "idmap_ldb:use rfc2307 = yes"
>>
>> And on a samba domain member server (that serves files to clients) I
>> have
>>
>> idmap config * : backend = tdb
>>    ??? idmap config * : range = 20000-20999
>>    ??? idmap config NAVIDOM:backend = ad
>>    ??? idmap config NAVIDOM:schema_mode = rfc2307
>>    ??? idmap config NAVIDOM:range = 1000-9999
>>    ??? idmap config NAVIDOM:unix_nss_info = yes
>>    ??? idmap config NAVIDOM:unix_primary_group = yes
>>    ??? winbind use default domain = yes
>>    ??? winbind nss info = rfc2307
>>
>> So to summarize:
>>
>> In order to use it this way - do I need the "idmap_ldb:use rfc2307
>> yes" on DC or not?
>>
> In one word, NO.
OK. Thank you.

Olaf
>
> Rowland
>
>