On 24/11/2022 11:15, Leopold Palomo-Avellaneda wrote:
El 24/11/22 a les 9:42, Rowland Penny ha escrit:
On 24/11/2022 08:00, Leopold Palomo-Avellaneda wrote:
Hi Roland,
El 24/11/22 a les 8:00, Roland Gruber ha escrit:
Hi Leopold,
to assign users uid/uidNumber/gidNumber you will need to use the
"Unix (posixAccount)" module. Make sure to use the "Windows"
modules for the Samba part (and not Samba 3).
well, I don't want discuss with the LAM author, but in our tests we
have found that you don't need posixAccount module. samba4 provides
you a uid and gid of your user in the Unix world. Also, configuring
it appropriately, you can share these numbers with the clients. So,
why do we need it?
Whilst you are correct that you do not need posixAccount & posixGroup
objectclasses in AD (all the rfc2307 attributes are standard in AD),
you still need something to add the rfc2307 attributes, in LAM's
case, this is the posixAccount module.
So, should I understand that if we want that values, we need the
posixAccount module in LAM to get it, right?
Yes, from my understanding, that is the module that adds rfc2307 attributes.
The only place that Samba provides uid's & gid's without
configuration is an AD DC and these numbers are in the '3000000'
range. These numbers are not uidNumber or gidNumber attributes, they
are 'xidNumber' attributes and are only found in idmap.ldb on an AD
DC. The 'xidNumber' attributes can be overridden by adding uidNumber
& gidNumber attributes to AD.
using the posixAccount module, is it?
No, it uses its own code to add xidNumber attributes to idmap.ldb, these
are issued on a first come basis. The attribute is called 'xidNumber',
the 'x' isn't a place marker, it is part of the attribute name and the
attribute has nothing to do with the rfc2307 uidNumber & gidNumber
attributes, in fact some of the Domain groups are marked as
'ID_TYPE_BOTH', they are both a group and a user, I will leave you to
work out why that is.
It sounds to me that you are planning to use a Samba AD DC as a
fileserver, if this is the case, then please think again, it isn't
recommended because of the numerous differences between a Samba
fileserver and a DC, to put it bluntly, using a DC as a fileserver
will give you problems.
As I said, this really isn't the place to discuss Samba.
Ok, I will subscribe the samba list and ask about our setup.
[...]
modules: posixAccount_user_uidGeneratorUsers: range
modules: posixAccount_user_minUID: 6000
modules: posixAccount_user_maxUID: 9000
Those numbers are really too low and they can both start at the same
number, ADUC used to use '10000'
ok.
Are these settings?
As Rowland wrote all Samba related questions should go to them. ;-)
Well, the mail surprised me. I was not asking questions of Samba. I
just explain the context where we want to pun LAM. And I agree that
is "a world of pain", but We live in a world of diversity (in all
the aspects) and we need interoperability between Mac, Windows and
GNU/Linux.
I was just trying to stop myself a lot more work later, when you
finally turned up on the samba mailing list. Better to get it right
in the first place. It sounds like you may already be running a Samba
NT4-style domain, if so, prepare to forget a lot of what you know, AD
is very different, you can have multiple DC's for one.
But, please, are you writing in this list that you do not recommend
SAMBA to provide files a Unix clients and Windows clients?
Because to me it is my central point, sharing files between OS.
No, what I am saying is, do not use a Samba AD DC as a fileserver, set
up Unix domain members and use them as fileservers, printservers etc.
That way you get all the benefits of Samba and non of the problems of
using a DC as a fileserver
Best regards,
Leopold
See you on the samba mailing list ;-)
Rowland
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
