On 14/04/13 01:37, François Lafont wrote:
Hello,
Le 13/04/2013 20:24, steve a écrit :
You still have to add the objects. Yourself!
Ok, if I understand, after a provision of a domain with samba-tool and the
"--use-rfc2307" option, samba4 can support posixaccount etc. in its database,
but I have to add the object class and the mandatory attributes myself.
It can do that whether you provision with --use-rfc2307 or not. I
believe that it adds the possibility of adding the uid:gid from windows.
I've never used windows for this.
But, after this:
-------------------------------------------
samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \
--server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' \
--use-rfc2307
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
# I had winbind in nsswitch.conf
sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1 winbind/g'
/etc/nsswitch.conf
samba
-------------------------------------------
I have a few users and groups which are already created:
# wbinfo -u
Administrator
Guest
krbtgt
# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
Must I add "objectclass: posixAccount", "uid:...", uidNumber:..." etc. entries
for each account above?
And must I add "objetclass: posixGroup", "gidNumber: ..." etc. entries for each
group above?
If you want to pull uid:gid from AD then you'll need to add uidNumber
and gidNumber for users and gidNumber for groups. All users which need
to login will need the attributes but there's no need to allocate
gidNumber to al the groups. Many of them have no meaning in Linux. e.g.
To begin with, just allocate a gidNumber to Domain Users. A good way to
decide which gidNumber to allocate is to take the RID of the group and
add, say, 20000 to keep it well away from local groups. As the RID of
Domain Users is 513 then our gidNumber becomes 20513.
For users, we allocated our first user uidNumber 3000032 to avoid
collision with the xidnumbers which have to remain in idmap. Each
subsequent user increments this value. It's tedious doing this by hand
but easy to create an ldif which contains the values to add as and when
a new user is created.
Which uid/gid numbers should I use?
Without "posixAccount" "uid" "uidNumber" etc. entries, the domain accounts are
automatically already allied to a uid number that I can see with "getent passwd":
# getent passwd Guest
CHEZMOI\Guest:*:3000011:3000012::/home/CHEZMOI/Guest:/bin/false
uid=3000011 although I have done no change in the Guest account.oming from /ur/
Those uid:gid pairs are coming from idmap. idmap is not part of AD and
confuses the issue for many of us. If you are going to add more DC's,
these uid:gid's will change depending upon which DC you refer to.
Probably (almost certainly) not what you want.
How choose Samba these uid/gid numbers (e.g 3000011/3000012) and how can I
choose my uid/gid numbers in order that there is never conflict with uid/gid
choose automatically by Samba?
That is best answered by looking at:
ldbsearch --url=/usr/local/samba/private/idmap.ldb
There, you'll see the sids with the xidnumber that Samba has allocated
to them. This xidnumber becomes the uid or gid depending upon whether
the object is a user, group or both. A basic set of objects has to
remain in idmap so leave it as it is after provision. If you add the
line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the
provision has already done for you) then any new user or group object
that is created will not have an entry in idmap. You are then free to
add the necessary uid/gidNumbers to AD.
Another problem: just after provision, the /usr/local/samba/var/locks/sysvol/
repository is already created with particulary settings regarding the unix
rights and the alc (with particulary uid/gid numbers). Must I change the
(unix/acl) rights of this repository too ?
There's another thread
here at the moment about how or how not to do that.
Some of us have given up on winbind for idmapping. There are easier ways
to get rfc2307 from the database which keep the uid:gid consistent
independent of which DC is consulted. nss-ldapd is one of them and sssd
seems to be gaining ground because of its simplicity. I'm a strong
believer in keeping things as simple as possible. Because of this I
believe that rfc2307 stuff should always be sourced from AD and we
should not use an external idmap
Where? I don't see it. Personally, I never succeed in the "rfc2307" working,
until now.
My purpose is to have the same uid/gid numbers between 2 samba4 servers.
Sorry, I can't access the list archive at the moment. The thread is
called 'Some clarification?'
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
