On 24/11/2022 08:00, Leopold Palomo-Avellaneda wrote:
Hi Roland,
El 24/11/22 a les 8:00, Roland Gruber ha escrit:
Hi Leopold,
to assign users uid/uidNumber/gidNumber you will need to use the
"Unix (posixAccount)" module. Make sure to use the "Windows" modules
for the Samba part (and not Samba 3).
well, I don't want discuss with the LAM author, but in our tests we
have found that you don't need posixAccount module. samba4 provides
you a uid and gid of your user in the Unix world. Also, configuring it
appropriately, you can share these numbers with the clients. So, why
do we need it?
Whilst you are correct that you do not need posixAccount & posixGroup
objectclasses in AD (all the rfc2307 attributes are standard in AD), you
still need something to add the rfc2307 attributes, in LAM's case, this
is the posixAccount module.
The only place that Samba provides uid's & gid's without configuration
is an AD DC and these numbers are in the '3000000' range. These numbers
are not uidNumber or gidNumber attributes, they are 'xidNumber'
attributes and are only found in idmap.ldb on an AD DC. The 'xidNumber'
attributes can be overridden by adding uidNumber & gidNumber attributes
to AD.
It sounds to me that you are planning to use a Samba AD DC as a
fileserver, if this is the case, then please think again, it isn't
recommended because of the numerous differences between a Samba
fileserver and a DC, to put it bluntly, using a DC as a fileserver will
give you problems.
As I said, this really isn't the place to discuss Samba.
In our case, it is _only_ needed because lam-daemon need them to
create the home of the user. That is the point. Maybe I'm wrong, this
is why I'm asking. Or did I miss something?
In server profile, Windows, you put the Samba domain name (e.g.
example.com). This should match your LDAP prefix (e.g.
dc=example,dc=com).
We tried and it failed. We can review our test.
The Unix module can autofill the numbers. Please make sure to
configure the UID generator in your server profile (Unix settings).
modules: posixAccount_user_uidGeneratorUsers: range
modules: posixAccount_user_minUID: 6000
modules: posixAccount_user_maxUID: 9000
Those numbers are really too low and they can both start at the same
number, ADUC used to use '10000'
Are these settings?
As Rowland wrote all Samba related questions should go to them. ;-)
Well, the mail surprised me. I was not asking questions of Samba. I
just explain the context where we want to pun LAM. And I agree that is
"a world of pain", but We live in a world of diversity (in all the
aspects) and we need interoperability between Mac, Windows and GNU/Linux.
I was just trying to stop myself a lot more work later, when you finally
turned up on the samba mailing list. Better to get it right in the first
place. It sounds like you may already be running a Samba NT4-style
domain, if so, prepare to forget a lot of what you know, AD is very
different, you can have multiple DC's for one.
Rowland Penny
Best regards,
Leopold
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
