Hi all,
So when I authenticate to a samba share as a domain user and it works. Unfortunately the Samba daemon gives me a randon UID (12500), which breaks proper ownership mapping because my Unix Attribute AD UID is 45000. The idmap range in the nas4free smb.conf file is 10000-39999. I *assume* this is why it's broken. But when I change it to 10000-99999999 and save, it reverts back to 39999.
Can anyone help me pull the correct UID/GUID from AD for remote smb connections?
Thanks!
Here's the pertinent global portion and then what I put in the AUX section in the gui
passdb backend = tdbsam
allow trusted domains = yes
idmap config * : backend = tdb
idmap config * : range = 10000-39999
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 10000-39999
realm = my.domain.com
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind normalize names = yes
template homedir = /mnt
template shell = /bin/sh
aio read size = 4096
aio write size = 4096
ADDED THE FOLLOWING IN AUX SECTION:
idmap backend = ad
idmap gid = 100-99999999
idmap uid = 100-99999999
passdb backend = tdbsam
winbind nss info = rfc2307
winbind separator = +
This is the old XigmaNAS forum in read only mode,
it will taken offline by the end of march 2021!
I like to aks Users and Admins to rewrite/take over important post from here into the new fresh main forum!
Its not possible for us to export from here and import it to the main forum!
it will taken offline by the end of march 2021!
I like to aks Users and Admins to rewrite/take over important post from here into the new fresh main forum!
Its not possible for us to export from here and import it to the main forum!
Mapping Samba UIDs to AD Unix Attribute UIDs
-
dblviking
- NewUser
- Posts: 1
- Joined: 16 Oct 2012 06:39
- Status: Offline
-
MrAkai
- NewUser
- Posts: 2
- Joined: 13 Feb 2014 20:31
- Status: Offline
Re: Mapping Samba UIDs to AD Unix Attribute UIDs
I got it working (except for secondary groups, which I'll have to figure out before I go into production) by adding this to the aux box:
idmap config * : backend = tdb
idmap config * : range = 516-65500
idmap config DOMAIN : backend = ad
idmap config DOMAIN : default = yes
idmap config DOMAIN : range = 516-65500
idmap config DOMAIN : schema_mode = rfc2307
winbind expand groups = 10
winbind nested groups = Yes
winbind nss info = rfc2307
This correctly pulls down the uid of the user from the unix attributes, but due to some decision made by the Samba team, uses your windows primary group as the gid for users.
Make sure you have unix mappings for your primary group (domain users usually).
My problem with secondary groups is confusing as heck because wbinfo -r [user] returns the proper list of unix groups, but the "id" command or the "groups" command will only return the primary, and in my testing, the user accounts will not have access to group owned files for secondary groups.
I think my problem may be that there is not a unix GID for every single group in AD, which might break enumeration, even though you would think it would be smarter...
idmap config * : backend = tdb
idmap config * : range = 516-65500
idmap config DOMAIN : backend = ad
idmap config DOMAIN : default = yes
idmap config DOMAIN : range = 516-65500
idmap config DOMAIN : schema_mode = rfc2307
winbind expand groups = 10
winbind nested groups = Yes
winbind nss info = rfc2307
This correctly pulls down the uid of the user from the unix attributes, but due to some decision made by the Samba team, uses your windows primary group as the gid for users.
Make sure you have unix mappings for your primary group (domain users usually).
My problem with secondary groups is confusing as heck because wbinfo -r [user] returns the proper list of unix groups, but the "id" command or the "groups" command will only return the primary, and in my testing, the user accounts will not have access to group owned files for secondary groups.
I think my problem may be that there is not a unix GID for every single group in AD, which might break enumeration, even though you would think it would be smarter...