Le 14/04/2013 08:00, steve a écrit : >> Ok, if I understand, after a provision of a domain with samba-tool and >> the "--use-rfc2307" option, samba4 can support posixaccount etc. in >> its database, but I have to add the object class and the mandatory >> attributes myself. > It can do that whether you provision with --use-rfc2307 or not.
Are you sure? In this case, I won't use this option. > I > believe that it adds the possibility of adding the uid:gid from windows. > I've never used windows for this. Me too. I prefer to manage the AD in the samba server. > If you want to pull uid:gid from AD then you'll need to add uidNumber > and gidNumber for users and gidNumber for groups. And "memberUid" too for groups, isn't it? > All users which need > to login will need the attributes but there's no need to allocate > gidNumber to al the groups. Many of them have no meaning in Linux. e.g. > To begin with, just allocate a gidNumber to Domain Users. A good way to > decide which gidNumber to allocate is to take the RID of the group and > add, say, 20000 to keep it well away from local groups. As the RID of > Domain Users is 513 then our gidNumber becomes 20513. > > For users, we allocated our first user uidNumber 3000032 to avoid > collision with the xidnumbers which have to remain in idmap. I don't think that 3000032 is a good uidNumber because idmap seems to use the "3000000-4000000" range. >> # getent passwd Guest >> CHEZMOI\Guest:*:3000011:3000012::/home/CHEZMOI/Guest:/bin/false >> >> uid=3000011 although I have done no change in the Guest account.oming >> from /ur/ > Those uid:gid pairs are coming from idmap. idmap is not part of AD and > confuses the issue for many of us. If you are going to add more DC's, > these uid:gid's will change depending upon which DC you refer to. > Probably (almost certainly) not what you want. Absolutely. :) >> How choose Samba these uid/gid numbers (e.g 3000011/3000012) and how >> can I choose my uid/gid numbers in order that there is never conflict >> with uid/gid choose automatically by Samba? > That is best answered by looking at: > ldbsearch --url=/usr/local/samba/private/idmap.ldb Ok, it's a good answer indeed. And I can see: ---------------------------------------------------- # ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=config # record 1 dn: CN=CONFIG cn: CONFIG lowerBound: 3000000 upperBound: 4000000 xidNumber: 3000017 distinguishedName: CN=CONFIG ---------------------------------------------------- Then, I understand that idmap uses the "3000000-4000000" range to assign xidNumber to the users and groups. > There, you'll see the sids with the xidnumber that Samba has allocated > to them. This xidnumber becomes the uid or gid depending upon whether > the object is a user, group or both. A basic set of objects has to > remain in idmap so leave it as it is after provision. If you add the > line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the > provision has already done for you) then any new user or group object > that is created will not have an entry in idmap. You are then free to > add the necessary uid/gidNumbers to AD. Yes, indeed: ---------------------------------------------------- # grep 'rfc' /usr/local/samba/etc/smb.conf idmap_ldb:use rfc2307 = yes # samba # samba-tool user add test4 "test4" User 'test4' created successfully # ldbsearch --url=/usr/local/samba/private/sam.ldb cn=test4 | grep -i objectsid objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106 # ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=S-1-5-21-3840058276-1254623269-3939424142-1106 # returned 0 records # 0 entries # 0 referrals ---------------------------------------------------- But after this: ---------------------------------------------------- # getent passwd test4 CHEZMOI\test4:*:3000019:100::/home/CHEZMOI/test4:/bin/false ---------------------------------------------------- the idmap entry is automatically created: ---------------------------------------------------- # ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=S-1-5-21-3840058276-1254623269-3939424142-1106 # record 1 dn: CN=S-1-5-21-3840058276-1254623269-3939424142-1106 cn: S-1-5-21-3840058276-1254623269-3939424142-1106 objectClass: sidMap objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106 type: ID_TYPE_BOTH xidNumber: 3000019 distinguishedName: CN=S-1-5-21-3840058276-1254623269-3939424142-1106 ---------------------------------------------------- I have noticed that I have exactly the same behavior without the "idmap_ldb:use rfc2307 = yes" option. Then, I don't see exactly the meaning of this option... > Sorry, I can't access the list archive at the moment. The thread is > called 'Some clarification?' Ok, I see. Thanks a lot for yours explanations Steeve. It's become more clean in my mind. :) -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba