User management scripts in AD mode...

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

User management scripts in AD mode...

Samba - General mailing list

I'm testing the upgrade of some domains from NT mode (LDAP backend) to AD mode.


In NT mode i was (ab)used to the smbldap-tools to user management, and
i've also extended a bit to manage, eg, email aliases and forwarding.

Now, in AD mode, i can relay only to samba-tool, and seems to me that
something misses. Apart the 'reset password' in other thread, for
example:

a) i've not found a way to modify a user: i can create and delete, but
 not modify it (as smbldap-usermodify do).

b) group management seems to me only ''group centric'', eg i can manage
 membership in group, but not in users; eg, i can modify members of a
group, but not modify groups of a user (as smbldap-usermodify do).

I'm simply ''confused'' by that, i'm asking only some feedback.
I'm looking at Samba4 and AD domains only by some weeks, so probably
there's good reason to do so, and i don't see them...



But i'm also ask a more generic question: smbldap-tools was perl code,
modular and was very easy to reuse most of the code to make some
''extensions''.

I want to create some ''samba-user'' addon script, there's some code
documentation/walkthrou/examples... i can read on?

All the (modules) code is here, right?
        https://github.com/samba-team/samba/tree/master/python/samba/netcmd


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: User management scripts in AD mode...

Samba - General mailing list
On Wed, 21 Jun 2017 18:52:59 +0200
Marco Gaiarin via samba <[hidden email]> wrote:

>
> I'm testing the upgrade of some domains from NT mode (LDAP backend)
> to AD mode.
>
>
> In NT mode i was (ab)used to the smbldap-tools to user management, and
> i've also extended a bit to manage, eg, email aliases and forwarding.
>
> Now, in AD mode, i can relay only to samba-tool, and seems to me that
> something misses. Apart the 'reset password' in other thread, for
> example:
>
> a) i've not found a way to modify a user: i can create and delete, but
>  not modify it (as smbldap-usermodify do).

smbldap-tools wasn't a Samba tool, but samba-tool is and there are
several gaps in what it can do. So you need to do what the writers of
smbldap-tools did, write your own scripts.

>
> b) group management seems to me only ''group centric'', eg i can
> manage membership in group, but not in users; eg, i can modify
> members of a group, but not modify groups of a user (as
> smbldap-usermodify do).

Not sure what you are getting at here, if you add a user to a group in
AD, you not only get a record in the group object, you also get a
record in the users object

dn: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
.....
member: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com

dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
.....
memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com

So you don't have to modify the user at all, again samba-tool can do
things like this for you, see 'samba-tool group --help'

>
> I'm simply ''confused'' by that, i'm asking only some feedback.
> I'm looking at Samba4 and AD domains only by some weeks, so probably
> there's good reason to do so, and i don't see them...
>
>
>
> But i'm also ask a more generic question: smbldap-tools was perl code,
> modular and was very easy to reuse most of the code to make some
> ''extensions''.
>
> I want to create some ''samba-user'' addon script, there's some code
> documentation/walkthrou/examples... i can read on?
>
> All the (modules) code is here, right?
> https://github.com/samba-team/samba/tree/master/python/samba/netcmd
>
>
> Thanks.
>

Yes that is the python code for most of 'samba-tool'

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: User management scripts in AD mode...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> smbldap-tools wasn't a Samba tool, but samba-tool is and there are
> several gaps in what it can do. So you need to do what the writers of
> smbldap-tools did, write your own scripts.

OK. Good. Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: User management scripts in AD mode...

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

Sorry, i come back to that:

> Not sure what you are getting at here, if you add a user to a group in
> AD, you not only get a record in the group object, you also get a
> record in the users object
>
> dn: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> .....
> member: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>
> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> .....
> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
>
> So you don't have to modify the user at all, again samba-tool can do
> things like this for you, see 'samba-tool group --help'

Because i've not clear how group management works in AD. I'm using
'Active Directory Users and Computers', so i think a pretty standard
tool. Some question.

a) i've not found 'member' in user object.

b) membership are accounted in groups via the 'member' field in group
 object. Membership are expressed as full user DN.

c) if, for the group object, i add some member in 'UNIX Attributes',
 they are not saved (eg, if i add some user and i do 'Apply' and then
'OK', if i came back to the group, UNIX attributes membership are
empty.

d) if, for a user, i set a primary group in 'Member of' (NOT UNIX
 attributes), user object get a 'primaryGroupID' data with the RID of
the group, and DESAPPEAR the relative data 'member' in the group. Argh!


So, seems to me that:

1) probably for my fault, some of the UNIX data (eg, group membership)
 does not work. I think also can be irrilevant, because winbind/sssd
get unix membership by other way (eg, ''windows'' mempership and not
UNIX/rfc2203 ones).

2) if i need to know what users belog to group 'X', i've to catch all
 DN listed in 'member' of that group, AND all users that have
as 'primaryGroupID' the RID of the group.


I'm again a bit confused... ;-(((

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: User management scripts in AD mode...

Samba - General mailing list
On Fri, 23 Jun 2017 17:34:48 +0200
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> Sorry, i come back to that:
>
> > Not sure what you are getting at here, if you add a user to a group
> > in AD, you not only get a record in the group object, you also get a
> > record in the users object
> >
> > dn: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> > .....
> > member: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> >
> > dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> > .....
> > memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> >
> > So you don't have to modify the user at all, again samba-tool can do
> > things like this for you, see 'samba-tool group --help'
>
> Because i've not clear how group management works in AD. I'm using
> 'Active Directory Users and Computers', so i think a pretty standard
> tool. Some question.
>
> a) i've not found 'member' in user object.
>
> b) membership are accounted in groups via the 'member' field in group
>  object. Membership are expressed as full user DN.
>
> c) if, for the group object, i add some member in 'UNIX Attributes',
>  they are not saved (eg, if i add some user and i do 'Apply' and then
> 'OK', if i came back to the group, UNIX attributes membership are
> empty.
>
> d) if, for a user, i set a primary group in 'Member of' (NOT UNIX
>  attributes), user object get a 'primaryGroupID' data with the RID of
> the group, and DESAPPEAR the relative data 'member' in the group.
> Argh!
>
>
> So, seems to me that:
>
> 1) probably for my fault, some of the UNIX data (eg, group membership)
>  does not work. I think also can be irrilevant, because winbind/sssd
> get unix membership by other way (eg, ''windows'' mempership and not
> UNIX/rfc2203 ones).
>
> 2) if i need to know what users belog to group 'X', i've to catch all
>  DN listed in 'member' of that group, AND all users that have
> as 'primaryGroupID' the RID of the group.
>
>
> I'm again a bit confused... ;-(((
>

Yes I can see that ;-)
I can also see why, your problem is that you are using the Unix
attributes tab.

Lets see if can explain this ;-)

First and foremost, all your users are Windows users and your groups
are the same.

When you want a user to be a Unix user as well, you add the required
RFC2307 attributes, the same goes for groups.

Just use the 'Unix attributes' tab to add the required attributes and,
if you are using a version of Samba before 4.6.0, Ensure the primary
group is set to Domain Users, from 4.6.0, you can change it to any
group that has a gidNumber.

If you create a group, lets call ours 'unixgroup', you would first
create it as a Windows group, you would then add a gidNumber attribute
using the 'Unix attributes' tab for the group. The group 'unixgroup'
would then be a Windows group AND a Unix group.

Now this is where you are going wrong, you do not add Unix users to
a Unix group by using a 'Unix attributes' tab, you can, but it will
not do anything from a Unix perspective (or Windows, come to that).

Remember what I said about all users & groups being Windows ones ? Just
add the Windows/Unix users to the Windows/Unix group using the standard
Windows tools and Unix will see them as Unix users of Unix groups

So, to shorten the above:
Create user & groups
Extend to Unix users & groups with the 'Unix attributes' tab
Pretend they are just Windows users when adding the users to a group.

Hope this helps, but feel free to ask any questions.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: User management scripts in AD mode...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> > I'm again a bit confused... ;-(((
> Yes I can see that ;-)

;-)

Sorry for the late answer, but i was busy on other things...


> Hope this helps, but feel free to ask any questions.

I try to summarize:

a) as i supposed 'RFC2307 group membership' are totally ignored by
 samba, so i can use RFC2307 schema to associate UID to users and GID
to group, but the relation between UID and GID (eg, membership) in UNIX
are directly derivated by Windows membership only. Good.

b) changing ''primary'' windows group from 'Domain Users' to other
 group are supported only by samba 4.6.0 and newer.

c) (Windows) membership are expressed using 'member' in group object
 (full DN of the users) but also using 'primaryGroupID' in user object
(RID of the group; for b) above, primaryGroupID is ever '513').

d) in (Windows) membership, if a user have a primary group, the group
 does not have the relative full user DN in 'member'; again for b) above,
group 'Doamin Users' have no 'member' because all users have
primaryGroupID=513


If i'm right, i'have two question:

1) a) work also for nested group, right? eg, if i've nested group, the
 windows<-UNIX mapping of memberships simply ''flatten'' the windows
membership in UNIX UID?

2) Supposing i'm using samba >= 4.6, to make a LDAP query that return
 all the memberships correctly i need to look for 'member' in groups
and 'primaryGroupID' in users; there's just an LDAP query about that?
Eg, a query that, given a group name/DN, return all users (as DN or
UID) that belong to that group?


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: User management scripts in AD mode...

Samba - General mailing list
On Fri, 30 Jun 2017 15:17:53 +0200
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
>
> > > I'm again a bit confused... ;-(((
> > Yes I can see that ;-)
>
> ;-)
>
> Sorry for the late answer, but i was busy on other things...
>
>
> > Hope this helps, but feel free to ask any questions.
>
> I try to summarize:
>
> a) as i supposed 'RFC2307 group membership' are totally ignored by
>  samba, so i can use RFC2307 schema to associate UID to users and GID
> to group, but the relation between UID and GID (eg, membership) in
> UNIX are directly derivated by Windows membership only. Good.

Correct

>
> b) changing ''primary'' windows group from 'Domain Users' to other
>  group are supported only by samba 4.6.0 and newer.

Correct

>
> c) (Windows) membership are expressed using 'member' in group object
>  (full DN of the users) but also using 'primaryGroupID' in user object
> (RID of the group; for b) above, primaryGroupID is ever '513').
>
> d) in (Windows) membership, if a user have a primary group, the group
>  does not have the relative full user DN in 'member'; again for b)
> above, group 'Doamin Users' have no 'member' because all users have
> primaryGroupID=513
>

Every Windows domain users primary group is '513' (this is Domain
Users), but is not shown anywhere else in AD. there are no 'member' or
'memberof' attributes anywhere that refer to members of Domain Users.
It just relies on the 'primaryGroupID' attribute (which if your care to
check, is set to 515 for computers)

>
> If i'm right, i'have two question:
>
> 1) a) work also for nested group, right? eg, if i've nested group, the
>  windows<-UNIX mapping of memberships simply ''flatten'' the windows
> membership in UNIX UID?

If you add a group to a group, your Unix users will gain membership of
the parent group, but the parent group must also have a gidNumber to be
used on a Unix machine.

>
> 2) Supposing i'm using samba >= 4.6, to make a LDAP query that return
>  all the memberships correctly i need to look for 'member' in groups
> and 'primaryGroupID' in users; there's just an LDAP query about that?
> Eg, a query that, given a group name/DN, return all users (as DN or
> UID) that belong to that group?

There is absolutely no need to search for the primaryGroupID of any AD
user, it will always be '513' unless somebody has been stupid enough to
change it, in which case they have broken the windows user.

The easiest way to find out what groups a users is a member of is to
search the users DN for 'memberOf', though this will only show what
Windows groups the user is a member of. If you only want to find and
display the Unix groups, you will then have to check each group a
user is a member of, to see if it has a gidNumber attribute, you
would then have to check if the group is also a member of another group
and then check if this possible other group has a gidNumber and if this
group is also a member of another group and so on. This could get
complicated.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: User management scripts in AD mode...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

[As you are supposing, i'm back... sorry to all...]

> > > Hope this helps, but feel free to ask any questions.
> > I try to summarize:

> > a) as i supposed 'RFC2307 group membership' are totally ignored by
> >  samba, so i can use RFC2307 schema to associate UID to users and GID
> > to group, but the relation between UID and GID (eg, membership) in
> > UNIX are directly derivated by Windows membership only. Good.
> Correct

> > b) changing ''primary'' windows group from 'Domain Users' to other
> >  group are supported only by samba 4.6.0 and newer.
> Correct

> > c) (Windows) membership are expressed using 'member' in group object
> >  (full DN of the users) but also using 'primaryGroupID' in user object
> > (RID of the group; for b) above, primaryGroupID is ever '513').
> > d) in (Windows) membership, if a user have a primary group, the group
> >  does not have the relative full user DN in 'member'; again for b)
> > above, group 'Doamin Users' have no 'member' because all users have
> > primaryGroupID=513
> Every Windows domain users primary group is '513' (this is Domain
> Users), but is not shown anywhere else in AD. there are no 'member' or
> 'memberof' attributes anywhere that refer to members of Domain Users.
> It just relies on the 'primaryGroupID' attribute (which if your care to
> check, is set to 515 for computers)

OK. But ''generally'' (AD domains) speaking, and specifically for samba
 >= 4.6, i can modify 'primaryGroupID', or...

> > 2) Supposing i'm using samba >= 4.6, to make a LDAP query that return
> >  all the memberships correctly i need to look for 'member' in groups
> > and 'primaryGroupID' in users; there's just an LDAP query about that?
> > Eg, a query that, given a group name/DN, return all users (as DN or
> > UID) that belong to that group?
> There is absolutely no need to search for the primaryGroupID of any AD
> user, it will always be '513' unless somebody has been stupid enough to
> change it, in which case they have broken the windows user.

you are speaking about a ''feature'' that are not practically used, and
so in AD domain all is supposing that useras have primaryGroupID as 513
and hosts/machines 515?!

Why samba support a feature that have not to be used?


> > If i'm right, i'have two question:

> > 1) a) work also for nested group, right? eg, if i've nested group, the
> >  windows<-UNIX mapping of memberships simply ''flatten'' the windows
> > membership in UNIX UID?
> If you add a group to a group, your Unix users will gain membership of
> the parent group, but the parent group must also have a gidNumber to be
> used on a Unix machine.

Obviously. Super clear.


> The easiest way to find out what groups a users is a member of is to
> search the users DN for 'memberOf', though this will only show what
> Windows groups the user is a member of. If you only want to find and
> display the Unix groups, you will then have to check each group a
> user is a member of, to see if it has a gidNumber attribute, you
> would then have to check if the group is also a member of another group
> and then check if this possible other group has a gidNumber and if this
> group is also a member of another group and so on. This could get
> complicated.

Ok. Thanks.


I add another question, lurking the list in these weeks. It seems to me
that some users/group does not to have UID/GID (i suppose generically
rfc2307 data) assigned.
Eg, looking also at your answer here, seems that Admnistrator it is
better not to have UID and only 'domain users' and 'domain computers'
need a UID.

After the migration with 'classicupgrade' i've:

 root@lupus:~# getent passwd | grep -i administrator
 root@lupus:~# getent group | egrep ":5[0-9][0-9]:"
 domain computers:*:515:
 domain admins:*:512:gaio,amaronese,lucaf
 domain guests:*:514:
 domain users:*:513:amaronese,gaio

i need to remove GID for domain admins and domain guests?


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: User management scripts in AD mode...

Samba - General mailing list
On Mon, 10 Jul 2017 16:58:41 +0200
Marco Gaiarin via samba <[hidden email]> wrote:

>
> I add another question, lurking the list in these weeks. It seems to
> me that some users/group does not to have UID/GID (i suppose
> generically rfc2307 data) assigned.
> Eg, looking also at your answer here, seems that Admnistrator it is
> better not to have UID and only 'domain users' and 'domain computers'
> need a UID.
>
> After the migration with 'classicupgrade' i've:
>
>  root@lupus:~# getent passwd | grep -i administrator
>  root@lupus:~# getent group | egrep ":5[0-9][0-9]:"
>  domain computers:*:515:

The above group doesn't really need a gidNumber, it is only used by AD.

>  domain admins:*:512:gaio,amaronese,lucaf

Ah here is possible problem, if you give 'Domain Admins' a gidNumber,
it just becomes a group as far as Unix is concerned, but 'Domain
Admins' needs to be a user as well to own dirs in sysvol, this is what
happens on a DC if 'Domain Admins doesn't have a gidNumber.

>  domain guests:*:514:

This shouldn't have a gidNumber either, it is again mapped on a DC (and
a Unix domain member by winbind)

>  domain users:*:513:amaronese,gaio

It is perfectly okay to give 'Domain Users' a gidNumber

The main problem with the above gidNumbers is that they are all in the
'500' range. Somebody, sometime in the past thought this was okay, Now,
with hindsight, it has proved to be a bad idea ;-)

Using such low numbers means that you cannot have ANY local Unix users.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: User management scripts in AD mode...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

Sorry, without requoting all, i jump back to some old question. You
wrote:

> The easiest way to find out what groups a users is a member of is to
> search the users DN for 'memberOf', though this will only show what
> Windows groups the user is a member of.

Seems to me that an equal easy mode is to look, in groups, to 'member',
that contain the full DN of the user.

'member' in group and 'memberOf' in users are 'keeped in sync' by
Samba/AD? Eg, contain the same info?

Or looking at ' member' in group i lost the nested group memberships?


Also, sorry, but still i don't understand: 'primaryGroupID' is a
''feature'' that are ''misused'' in AD domains, or is a limitation of
Samba implementation?
I want to write LDAP query as generic as possible, so knowing that...


> >  domain computers:*:515:
> The above group doesn't really need a gidNumber, it is only used by AD.

OK.


> >  domain admins:*:512:gaio,amaronese,lucaf
> Ah here is possible problem, if you give 'Domain Admins' a gidNumber,
> it just becomes a group as far as Unix is concerned, but 'Domain
> Admins' needs to be a user as well to own dirs in sysvol, this is what
> happens on a DC if 'Domain Admins doesn't have a gidNumber.

Ok. I make a note that i've not added 'gidNumber' by miself, but
'classigupgrade' do that.

> >  domain guests:*:514:
> This shouldn't have a gidNumber either, it is again mapped on a DC (and
> a Unix domain member by winbind)

OK. So this is another source of trouble, if i use sssd? Eg, winbind
will map correctly domain guests and sssd no?


> >  domain users:*:513:amaronese,gaio
> It is perfectly okay to give 'Domain Users' a gidNumber

OK.


> The main problem with the above gidNumbers is that they are all in the
> '500' range. Somebody, sometime in the past thought this was okay, Now,
> with hindsight, it has proved to be a bad idea ;-)

Eh... the 'legacy' troubles... ;)


> Using such low numbers means that you cannot have ANY local Unix users.

Why?! Debian reserve uid/gid 0-1000 for ''system account', but really
use little few of that.
I've simply 'submapped' windows well known SID to '5XX' uid/gid, for a
obvious reason (keeping the RID equal to UID/GID).

Sorry but i don't understand...


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...