On 2024-06-20 13:13, Rowland Penny via samba wrote:> On Thu, 20 Jun 2024 12:59:58 +0200 > Olaf Fr?czyk via samba <samba at lists.samba.org> wrote: > >> I use uids from this range for many, many years, since samba 3. :) > Which unfortunately was a bad idea, using Samba IDs that start at > '1000' means that you cannot have ANY local users. What happens if you > have AD problems and your users & groups cannot be resolved from AD, > how do you fix it ? Especially on distros like Ubuntu that only use > sudo ?The only local user I need for this setup is root. And I don't have problem to login as root - I use Almalinux there. And, if really needed, I can assign an uidNumber for local unix user in a way that doesn't overlap with the ones used by samba - eg 10000 and above. This samba uidNumbers are from times, when local linux users started from 500 and I assumed that starting 1000 for samba will be enough, this was 20 years ago or more.> >> And I want/need to use this range - to change it now would be a mess. >> And I need to be able to set them manually, not in an automatic way. > It is totally your decision what range to use and yes, it wouldn't be > easy to change individual Unix domain members. > There is no way to set uidNumber & gidNumber attributes automatically, > you must supply them manually. > >> By server I mean a domain member server. >> >> So on samba DC I have: "idmap_ldb:use rfc2307 = yes" >> >> And on a samba domain member server (that serves files to clients) I >> have >> >> idmap config * : backend = tdb >> ??? idmap config * : range = 20000-20999 >> ??? idmap config NAVIDOM:backend = ad >> ??? idmap config NAVIDOM:schema_mode = rfc2307 >> ??? idmap config NAVIDOM:range = 1000-9999 >> ??? idmap config NAVIDOM:unix_nss_info = yes >> ??? idmap config NAVIDOM:unix_primary_group = yes >> ??? winbind use default domain = yes >> ??? winbind nss info = rfc2307 >> >> So to summarize: >> >> In order to use it this way - do I need the "idmap_ldb:use rfc2307 >> yes" on DC or not? >> > In one word, NO.OK. Thank you. Olaf> > Rowland > >
On Thu, 20 Jun 2024 13:49:41 +0200 Olaf Fr?czyk via samba <samba at lists.samba.org> wrote:> > On 2024-06-20 13:13, Rowland Penny via samba wrote: > > On Thu, 20 Jun 2024 12:59:58 +0200 > > Olaf Fr?czyk via samba <samba at lists.samba.org> wrote: > > > >> I use uids from this range for many, many years, since samba 3. :) > > Which unfortunately was a bad idea, using Samba IDs that start at > > '1000' means that you cannot have ANY local users. What happens if > > you have AD problems and your users & groups cannot be resolved > > from AD, how do you fix it ? Especially on distros like Ubuntu that > > only use sudo ? > > The only local user I need for this setup is root. And I don't have > problem to login as root - I use Almalinux there.Yes, but a lot of people use distros without using 'root' directly, these means they must use something like sudo, which means local users in /etc/passwd> > And, if really needed, I can assign an uidNumber for local unix user > in a way that doesn't overlap with the ones used by samba - eg 10000 > and above.Not saying you cannot, but you will then have to manually assign the Unix ID instead of allowing the OS to set it.> > This samba uidNumbers are from times, when local linux users started > from 500 and I assumed that starting 1000 for samba will be enough, > this was 20 years ago or more.Yes, some distros did start IDs from 500, but that was later changed to 1000. Times change, but it looks like you haven't. As I said, I can only make suggestions, which are based on current best practice, whether you accept them is up to you, it is your network. Rowland