[Samba] Man page for idmap_rid

[francis picabia]

I'm reading the man page for idmap_rid over and over and I can't understand
it. I think it needs a rewrite so a normal user can understand. Using a
practical example.

Step 1: determine the highest UID in use for your /etc/passwd file
(can we assume everyone has a passwd file?)
Step 2: I don't know...

Optionally at this point, document how to plug that into the formula

RID = ID + BASE_RID - LOW_RANGE_ID

and then show how we set the lines:

range = low - high
base_rid = INTEGER

The man page examples do not line up with any numbers practical outside of
smb.conf

Say my UID on the Linux side would never exceed 70000. How do I configure
range and base_rid?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny]

On Mon, 8 Aug 2016 16:31:09 -0300
francis picabia <fpic...@gmail.com> wrote:

> I'm reading the man page for idmap_rid over and over and I can't
> understand it. I think it needs a rewrite so a normal user can
> understand. Using a practical example.
>
> Step 1: determine the highest UID in use for your /etc/passwd file
> (can we assume everyone has a passwd file?)
> Step 2: I don't know...
>
> Optionally at this point, document how to plug that into the formula
>
> RID = ID + BASE_RID - LOW_RANGE_ID
>
> and then show how we set the lines:
>
> range = low - high
> base_rid = INTEGER
>
> The man page examples do not line up with any numbers practical
> outside of smb.conf
>
> Say my UID on the Linux side would never exceed 70000. How do I
> configure range and base_rid?

Well for a start, you can forget 'base_rid', it is deprecated, just
leave it alone and it will default to '0'

In your example, you will want to start the range at '70001', where you
end, is up to you.

The only problem Unix user is nobody/nogroup, which for reasons unknown
to me, have the ID number 65534, it would probably be better if they
had been given a number below 1000.

Rowland

[Michael Adam]

On 2016-08-08 at 16:31 -0300, francis picabia wrote:
> I'm reading the man page for idmap_rid over and over and I can't understand
> it. I think it needs a rewrite so a normal user can understand. Using a
> practical example.

I admit it is a little terse.
But in principle, assuming a little bit of
general knowledge about how idmap backends are configured
(see man smb.conf), it's all there.

Before proposing a patch that will elaborate the manpage
a bit, let me explain here:

> Step 1: determine the highest UID in use for your /etc/passwd file
> (can we assume everyone has a passwd file?)
> Step 2: I don't know...
>
> Optionally at this point, document how to plug that into the formula
>
> RID = ID + BASE_RID - LOW_RANGE_ID
>
> and then show how we set the lines:
>
> range = low - high

This 'low' here is the LOW_RANGE_ID referenced above
in the formula. More concretely, this config would be

idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = low-high

> base_rid = INTEGER

My suggestion: Forget about the 'base_rid' value. This optional parameter
is only needed for corner cases, where you are very limited in the amount
of unix ids available. It allows you to filter out the lower part of the
rids in your domain. I have never seen it used. (i.e. use the default
value of 0.)

> The man page examples do not line up with any numbers practical outside of
> smb.conf

So in order to decribe how the rid module works for a given
config, you need to describe how unix-id-->sid and sid-->unix-id
mappings are calculated. The manpage offers this:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE MAPPING FORMULAS
The Unix ID for a RID is calculated this way:

ID = RID - BASE_RID + LOW_RANGE_ID.

Correspondingly, the formula for calculating the RID
for a given Unix ID is this:

RID = ID + BASE_RID - LOW_RANGE_ID.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

As said above, here LOW_RANGE_ID is the id that is the lower
number of the configured range. Now for the sake of simplicity,
say that we did not configure the base rid, so BASE_RID is 0 in
the above formulas and they simplify to:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ID = RID + LOW_RANGE_ID
RID = ID - LOW_RANGE_ID
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More concretely, assume that you have a domain MYDOM
and a config

idmap config MYDOM : backend = rid
idmap config MYDOM : range = 100000-200000

Now calculate a few examples:

- The administrator of MYDOM has rid=500 (the admin
of each domain has). So it's unix ID would be

500 + 100000 = 100500

- The Domain Users group has rid 513.
So the associated unix group id would be

513 + 100000 = 100513

- A Unix group of GID = 100512 would
map to the SID with the rid of

100512 - 100000 = 512

i.e. the domain admins group.

- A unix user of UID = 123456 would be associated
to a sid with the rid of

123456 - 10000 = 23456

- A unix ID of 200001 would be bigger than
the high id of the range and hence NOT be
treated by this idmap module.

- A SID with a rid of 100001 would be calculated
to yield a unix id of

100001 + 100000 = 200001

but this is bigger than the high upper limit of
the configured range, hence the sid would be
'filtered', i.e. this object would not be mapped.

Do these examples make it more clear?

The low id of the range determines where the unix IDs of
your domain will start, and the high id of the range
determines how big the rids can get. More concretely,
the largest mapped rid would be

high id - low id

> Say my UID on the Linux side would never exceed 70000. How do
> I configure range and base_rid?

The only important thing here is that the low id in the range is
LARGER than the largest unix id used otherwise in your system.
(That does not only mean passwd or group file, but also other
possible nsswitch sources like ldap or nis...)
So if you know you won't have unix user or group ids above 10000,
then you could start your idmap rid range at 10001; this would
be the lowes possible start of a range. But you could as
well start it at 20000 or 100000 or 1000000. And so on.

Also note that all other idmap ranges you configure must
be disjoint from this idmap range. More generally, all
configured idmap ranges must be mutually disjoint.

See the example in the manpage for complete example
idmap configs.

Hope this helps at least a bit..

Michael

[Kevin Davidson]

> On 8 Aug 2016, at 20:48, Rowland Penny <rpe...@samba.org> wrote:
>
> The only problem Unix user is nobody/nogroup, which for reasons unknown
> to me, have the ID number 65534, it would probably be better if they
> had been given a number below 1000.

They did. In the days when UID was a 16 bit signed integer, that was -2, well below 1000!




Sent from my iPhone

--
Kevin Davidson
Apple Certified System Administrator
Technical Director

t 01506 668674
m 07813 149620
w www.indigospring.co.uk

indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US

Follow us on Twitter - twitter.com/indigospringIT
Members of the Apple Consultants Network - consultants.apple.com/uk

http://www.indigospring.co.uk/terms-and-conditions

[francis picabia]

Thanks for the detailed response.

It is very extensive for my purposes, but it still feels over analytical for
what we need. I believe the Unix UID doesn't exceed 65534.
If this is a constant, why don't we just produce an example for that?
Out of the box, this is what many users will want to use.

I don't understand when we want values to never overlap and when
we want them to be in a matching range.

I would think this setting would work for everyone not using NIS or LDAP in
nsswitch:

idmap config *:backend = tdb
idmap config *:range = 100001-110000

idmap config MYDOM : backend = rid

idmap config MYDOM : range = 65535-100000

I've set that and restarted nmbd, smbd and winbind services

When I do a wbinfo look up on my user with a UID of 1000, it has this:

theusername:*:16777216:16777220:The
Username:/home/MYDOM/theusername:/bin/false

Is this set up well or do I want the upper range to overlap with 16777216?

[Rowland Penny]

On Tue, 9 Aug 2016 09:37:13 -0300
francis picabia <fpic...@gmail.com> wrote:

> Thanks for the detailed response.
>
> It is very extensive for my purposes, but it still feels over
> analytical for what we need. I believe the Unix UID doesn't exceed
> 65534. If this is a constant, why don't we just produce an example
> for that? Out of the box, this is what many users will want to use.
>
> I don't understand when we want values to never overlap and when
> we want them to be in a matching range.
>
> I would think this setting would work for everyone not using NIS or
> LDAP in nsswitch:
>
> idmap config *:backend = tdb
> idmap config *:range = 100001-110000
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 65535-100000

The only problem with that is, what happens if you do manage to get to
user '100001' in 'MYDOM' ?

This would probably be better:

idmap config *:backend = tdb

idmap config *:range = 65535-100000

idmap config MYDOM : backend = rid

idmap config MYDOM : range = 100001-110000

This way, if you ever get to 'MYDOM' user '110001', you can just extend
the range in smb.conf.

However, a better way would be to find out who set nobody/nogroup to
'65534' (there was probably a logical reason at the time it was set)
and get it changed to '499' or whatever. Anybody know who to contact ?

>
> I've set that and restarted nmbd, smbd and winbind services
>
> When I do a wbinfo look up on my user with a UID of 1000, it has this:
>
> theusername:*:16777216:16777220:The
> Username:/home/MYDOM/theusername:/bin/false

Those numbers look suspiciously like what I used to get out of sssd,
are you also running this ?

>
> Is this set up well or do I want the upper range to overlap with
> 16777216?

You cannot have ranges that overlap, if you had something like this:

idmap config *:backend = tdb

idmap config *:range = 2000-10000

idmap config MYDOM : backend = rid

idmap config MYDOM : range = 9000-11000

Now, there are two users with the RIDs 9999 and 2999, the first is a
member of the '*' domain and the second is a member of 'MYDOM' domain

As the algorithm to calculate the Unix ID is this:

ID = RID + LOW_RANGE_ID

We get two calculations

9999 + 2000 = ID

2999 + 9000 = ID

ID in both cases will be '11999' so how is Unix to know which user is
which ?

Rowland

[Shash Chatterjee]

I can't add anything useful to the ID mapping discussion, but 65,535 is a very well known number to those of us that started in bits and bytes of embedded systems and assemblers. 65,535 is the largest unsigned integer in a 16-bit system, which is where UNIX started (mostly). They used (int) 0-65,534 as the valid user IDs, and "(unsigned int)-1", which is (int)65,535, as a check for invalid user ID.

[francis picabia via samba]

I'm entertaining all your suggestions of workarounds and values.

I've changed nobody to UID and GID 499 in /etc/passwd and /etc/groups
It had no conflicts with another user. However nobody doesn't exist in AD.

Now testparam reports:

# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
workgroup = MYDOM
realm = AD.MYDOM.CA
server string = Debian2 Server
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
unix extensions = No
load printers = No
printcap name = /dev/null
disable spoolss = Yes
dns proxy = No
winbind use default domain = Yes
idmap config mydom : range = 100001-110000
idmap config mydom : backend = rid

idmap config *:range = 65535-100000

idmap config * : backend = tbd
nt acl support = No
printing = bsd


[homes]
comment = Home Directories
path = %H
read only = No
create mask = 0700
directory mask = 0700
browseable = No
wide links = Yes

Restarted smbd and winbind.

$ smbclient -L //debian2 -U username
Enter username's password:
session setup failed: NT_STATUS_UNSUCCESSFUL

Logfile for client's IP ends:

[2016/08/09 11:48:32.793696, 1]
../source3/auth/token_util.c:430(add_local_groups)
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
[2016/08/09 11:48:32.793746, 3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
Failed to finalize nt token

There don't seem to be any values which can dodge this bug. Maybe there
were
for awhile, but in the meantime, security patches have changed things.

> >
> > I've set that and restarted nmbd, smbd and winbind services
> >
> > When I do a wbinfo look up on my user with a UID of 1000, it has this:
> >
> > theusername:*:16777216:16777220:The
> > Username:/home/MYDOM/theusername:/bin/false
>
> Those numbers look suspiciously like what I used to get out of sssd,
> are you also running this ?
>
>

There is no sssd. No process, no package installed.

[Rowland Penny via samba]

On Tue, 9 Aug 2016 11:58:42 -0300
francis picabia <fpic...@gmail.com> wrote:

>
> $ smbclient -L //debian2 -U username
> Enter username's password:
> session setup failed: NT_STATUS_UNSUCCESSFUL
>

> > > When I do a wbinfo look up on my user with a UID of 1000, it has
> > > this:
> > >
> > > theusername:*:16777216:16777220:The
> > > Username:/home/MYDOM/theusername:/bin/false
> >

I think I might have spotted something here, your user doesn't seem to
exist on the client and you are relying on wbinfo to tell you it exists.
Only problem with that, wbinfo checks AD but this doesn't mean the
local Unix OS knows the user.

What does 'getent passwd username' show when run on 'debian2'?

Until it produces something like this:

rowland@devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

it will not work.

Rowland

[francis picabia via samba]

On Tue, Aug 9, 2016 at 12:29 PM, Rowland Penny via samba <
sa...@lists.samba.org> wrote:

> On Tue, 9 Aug 2016 11:58:42 -0300
> francis picabia <fpic...@gmail.com> wrote:
>
> >
> > $ smbclient -L //debian2 -U username
> > Enter username's password:
> > session setup failed: NT_STATUS_UNSUCCESSFUL
> >
>
> > > > When I do a wbinfo look up on my user with a UID of 1000, it has
> > > > this:
> > > >
> > > > theusername:*:16777216:16777220:The
> > > > Username:/home/MYDOM/theusername:/bin/false
> > >
>
> I think I might have spotted something here, your user doesn't seem to
> exist on the client and you are relying on wbinfo to tell you it exists.
> Only problem with that, wbinfo checks AD but this doesn't mean the
> local Unix OS knows the user.
>
> What does 'getent passwd username' show when run on 'debian2'?
>
> Until it produces something like this:
>
> rowland@devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> it will not work.

> <https://lists.samba.org/mailman/options/samba>
>

getent passwd username

(or "theusername") is not the literal command. I substitute 'username'
here to protect the user id.
genent passwd on the user does work and it returns uid and gui of 1000,
exactly what we see in the /etc/passwd file. It is the same output as grep
'username' on /etc/passwd

Remember, when winbind is off, it works. This is certainly bug 10604 by
all measures.

[Rowland Penny via samba]

On Tue, 9 Aug 2016 13:37:18 -0300
francis picabia <fpic...@gmail.com> wrote:


>
> getent passwd username
>
> (or "theusername") is not the literal command. I substitute
> 'username' here to protect the user id.
> genent passwd on the user does work and it returns uid and gui of
> 1000, exactly what we see in the /etc/passwd file. It is the same
> output as grep 'username' on /etc/passwd
>
> Remember, when winbind is off, it works. This is certainly bug 10604
> by all measures.

And I think you have just posted your problem!

Lets use 'fred' as one of your users, replace 'fred' with a real users
name

Do you have a user called 'fred' in /etc/passwd *and* in AD ?

If so, choose one and then delete the other, you cannot have them in
both.

Rowland

[Michael Adam via samba]

Why are you so keen on starting a range directly above the
smallest used id number from the files?

The main thing is not to overlap.
It is OK to have gaps! :-)

Also, afaik, nothing prvents you from adding
a user of uid 1000000 into your passwd file.
There is just *no* recipe that fits everyone.
Hence the general instructions in the manpage...

I personally like to give winbind high up ranges
starting in the 100s of 1000s or even in the millions.

> Now testparam reports:
>
> # testparm /etc/samba/smb.conf
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> workgroup = MYDOM
> realm = AD.MYDOM.CA
> server string = Debian2 Server
> security = ADS
> log file = /var/log/samba/%m.log
> max log size = 50
> unix extensions = No
> load printers = No
> printcap name = /dev/null
> disable spoolss = Yes
> dns proxy = No
> winbind use default domain = Yes

Recommendation: avoid this by all means if possible.
It typically only creates problems by introducing
abiguity.

> idmap config mydom : range = 100001-110000
> idmap config mydom : backend = rid
> idmap config *:range = 65535-100000
> idmap config * : backend = tbd

Typo in the config? tdb <--> tbd ?

Cheers - Michael

[Michael Adam via samba]

On 2016-08-09 at 17:58 +0100, Rowland Penny via samba wrote:
> On Tue, 9 Aug 2016 13:37:18 -0300
> francis picabia <fpic...@gmail.com> wrote:
>
>
> >
> > getent passwd username
> >
> > (or "theusername") is not the literal command. I substitute
> > 'username' here to protect the user id.
> > genent passwd on the user does work and it returns uid and gui of
> > 1000, exactly what we see in the /etc/passwd file. It is the same
> > output as grep 'username' on /etc/passwd
> >
> > Remember, when winbind is off, it works. This is certainly bug 10604
> > by all measures.
>
> And I think you have just posted your problem!
>
> Lets use 'fred' as one of your users, replace 'fred' with a real users
> name
>
> Do you have a user called 'fred' in /etc/passwd *and* in AD ?
>
> If so, choose one and then delete the other, you cannot have them in
> both.

*Not* setting 'winbind use default domain = yes' will allow you
to have them both. And they will be what they shoult be: two different
users. With different unix IDs.

Cheers - Michael

[francis picabia via samba]

On Tue, Aug 9, 2016 at 1:58 PM, Rowland Penny via samba <
sa...@lists.samba.org> wrote:

> On Tue, 9 Aug 2016 13:37:18 -0300
> francis picabia <fpic...@gmail.com> wrote:
>
>
> >
> > getent passwd username
> >
> > (or "theusername") is not the literal command. I substitute
> > 'username' here to protect the user id.
> > genent passwd on the user does work and it returns uid and gui of
> > 1000, exactly what we see in the /etc/passwd file. It is the same
> > output as grep 'username' on /etc/passwd
> >
> > Remember, when winbind is off, it works. This is certainly bug 10604
> > by all measures.
>
> And I think you have just posted your problem!
>
> Lets use 'fred' as one of your users, replace 'fred' with a real users
> name
>
> Do you have a user called 'fred' in /etc/passwd *and* in AD ?
>
> If so, choose one and then delete the other, you cannot have them in
> both.
>

I don't think you've done this before. Have you used security = ads?

I have dozens of servers and hundreds of users running just fine
with this. Having the same user defined in both Linux and AD,
and mapping it for authentication is the whole point.

[Rowland Penny via samba]

On Tue, 9 Aug 2016 14:49:37 -0300

francis picabia <fpic...@gmail.com> wrote:

> On Tue, Aug 9, 2016 at 1:58 PM, Rowland Penny via samba <
> sa...@lists.samba.org> wrote:
>
> > On Tue, 9 Aug 2016 13:37:18 -0300
> > francis picabia <fpic...@gmail.com> wrote:
> >
> >
> > >
> > > getent passwd username
> > >
> > > (or "theusername") is not the literal command. I substitute
> > > 'username' here to protect the user id.
> > > genent passwd on the user does work and it returns uid and gui of
> > > 1000, exactly what we see in the /etc/passwd file. It is the same
> > > output as grep 'username' on /etc/passwd
> > >
> > > Remember, when winbind is off, it works. This is certainly bug
> > > 10604 by all measures.
> >
> > And I think you have just posted your problem!
> >
> > Lets use 'fred' as one of your users, replace 'fred' with a real
> > users name
> >
> > Do you have a user called 'fred' in /etc/passwd *and* in AD ?
> >
> > If so, choose one and then delete the other, you cannot have them in
> > both.
> >
>
> I don't think you've done this before. Have you used security = ads?

ROFL ROFL ROFL

Can I direct you to my email address.

>
> I have dozens of servers and hundreds of users running just fine
> with this. Having the same user defined in both Linux and AD,
> and mapping it for authentication is the whole point.

That was the old way, if you are using AD, you do not need Unix users
in /etc/passwd and in fact, you should not have users in
both /etc/passwd and AD.
To make an AD user a Unix user, either add RFC2307 attributes to the
users object in AD and then use the winbind 'ad' backend, or use the
'rid' backend, in which case you do not have to add anything to AD.

Can you also stop sending email directly to me and CCing the list, just
send to the list.

Rowland

[Jeremy Allison via samba]

But to clarify, they will then be user 'fred' and user 'DOMAIN\fred'.
Not the same name at all..

[Michael Adam via samba]

On 2016-08-09 at 14:49 -0300, francis picabia via samba wrote:
> On Tue, Aug 9, 2016 at 1:58 PM, Rowland Penny via samba <
> sa...@lists.samba.org> wrote:
>
> > On Tue, 9 Aug 2016 13:37:18 -0300
> > francis picabia <fpic...@gmail.com> wrote:
> >
> >
> > >
> > > getent passwd username
> > >
> > > (or "theusername") is not the literal command. I substitute
> > > 'username' here to protect the user id.
> > > genent passwd on the user does work and it returns uid and gui of
> > > 1000, exactly what we see in the /etc/passwd file. It is the same
> > > output as grep 'username' on /etc/passwd
> > >
> > > Remember, when winbind is off, it works. This is certainly bug 10604
> > > by all measures.
> >
> > And I think you have just posted your problem!
> >
> > Lets use 'fred' as one of your users, replace 'fred' with a real users
> > name
> >
> > Do you have a user called 'fred' in /etc/passwd *and* in AD ?
> >
> > If so, choose one and then delete the other, you cannot have them in
> > both.
> >
>
> I don't think you've done this before. Have you used security = ads?
>
> I have dozens of servers and hundreds of users running just fine
> with this. Having the same user defined in both Linux and AD,
> and mapping it for authentication is the whole point.

No, this completely misses the point of winbind and security =
ads: Winbind removes the need to maintain local users on each
server. Instead you plug winbind into nsswitch and tell it to
use the same id mapping scheme on all servers, and hence you
have perfectly valid, same-looking unix users on all the servers
without ever touching the passwd and group files...

Cheers - Michael

[francis picabia via samba]

I'd like to see it documented in plain terms, not formula where
few people know what "rid in sid" means. It seems to me if
it were documented for the type security = ads case for
Linux, this would be a template to start with, and not
looking for magic values as many users have come to
rely on (see the Samba and Debian bug reports for people
who think the range beginning at 1000 was some magic solution).

Look, you get into your car, and do you look at an RPM value
and gear indicator, compute the tire size P215R16
and figure out the speed? No, there is a calibrated instrument for it.

Well, what is sitting in front of us, a frigging computer!

Why can't samba/winbind look at nsswitch, determine there is
nothing like NIS and LDAP, lookup the UID values in /etc/passwd,
and make ranges on the fly? The end user does not care
what their values are - they only want "Map Network Drive"
to work and get something done. I suspect the computer
on Apollo missions could have achieved this range computation.

Avoid the use of the * plus domain name? I'd agree, but this
is how it is documented, so I'm trying to play along and
see if magic beans fall out of the sky and it works, like
it does for the other users who have found magic solutions.

> > idmap config mydom : range = 100001-110000
> > idmap config mydom : backend = rid
> > idmap config *:range = 65535-100000
> > idmap config * : backend = tbd
>
> Typo in the config? tdb <--> tbd ?
>

I've tried with only the rid backend and always the same behaviour. It is
a documented bug.


>
> Cheers - Michael

[francis picabia via samba]

In my systems [homes] is something they use on the Linux system where
they have access via ssh or mapping the network drive. It isn't a new
thing.
I've used it for over a decade without major problems. When winbind is
left out of
nsswitch.conf, we can control that only users with an account on the
specific
box can access it.

[francis picabia via samba]

On Tue, Aug 9, 2016 at 3:00 PM, Rowland Penny via samba <

sa...@lists.samba.org> wrote:

> On Tue, 9 Aug 2016 14:49:37 -0300
> francis picabia <fpic...@gmail.com> wrote:
>
> > On Tue, Aug 9, 2016 at 1:58 PM, Rowland Penny via samba <
> > sa...@lists.samba.org> wrote:
> >
> > > On Tue, 9 Aug 2016 13:37:18 -0300
> > > francis picabia <fpic...@gmail.com> wrote:
> > >
> > >
> > > >
> > > > getent passwd username
> > > >
> > > > (or "theusername") is not the literal command. I substitute
> > > > 'username' here to protect the user id.
> > > > genent passwd on the user does work and it returns uid and gui of
> > > > 1000, exactly what we see in the /etc/passwd file. It is the same
> > > > output as grep 'username' on /etc/passwd
> > > >
> > > > Remember, when winbind is off, it works. This is certainly bug
> > > > 10604 by all measures.
> > >
> > > And I think you have just posted your problem!
> > >
> > > Lets use 'fred' as one of your users, replace 'fred' with a real
> > > users name
> > >
> > > Do you have a user called 'fred' in /etc/passwd *and* in AD ?
> > >
> > > If so, choose one and then delete the other, you cannot have them in
> > > both.
>

Here you wrote that a user *cannot* be in both /etc/passwd and AD.

> >
> >
> > I don't think you've done this before. Have you used security = ads?
>
> ROFL ROFL ROFL
>
> Can I direct you to my email address.
>
> >
> > I have dozens of servers and hundreds of users running just fine
> > with this. Having the same user defined in both Linux and AD,
> > and mapping it for authentication is the whole point.
>
> That was the old way, if you are using AD, you do not need Unix users
> in /etc/passwd and in fact, you should not have users in
> both /etc/passwd and AD.
>

*Should* not? What does that mean? Sounds different than can not.

> To make an AD user a Unix user, either add RFC2307 attributes to the
> users object in AD and then use the winbind 'ad' backend, or use the
> 'rid' backend, in which case you do not have to add anything to AD.
>

Now we *can* have a Unix user in AD?

I'm not sure which of the three statements has any meaning. I don't know if
English is your native language, but there are differences in truth logic
in the three ways the statement on user mapping support has been made.

I've been working with the third statement being true and exercising the
rid option.

[Rowland Penny via samba]

On Tue, 9 Aug 2016 15:05:34 -0300
francis picabia <fpic...@gmail.com> wrote:


>
> I'd like to see it documented in plain terms, not formula where
> few people know what "rid in sid" means. It seems to me if
> it were documented for the type security = ads case for
> Linux, this would be a template to start with, and not
> looking for magic values as many users have come to
> rely on (see the Samba and Debian bug reports for people
> who think the range beginning at 1000 was some magic solution).
>
> Look, you get into your car, and do you look at an RPM value
> and gear indicator, compute the tire size P215R16
> and figure out the speed? No, there is a calibrated instrument for
> it.
>
> Well, what is sitting in front of us, a frigging computer!
>
> Why can't samba/winbind look at nsswitch, determine there is
> nothing like NIS and LDAP, lookup the UID values in /etc/passwd,
> and make ranges on the fly? The end user does not care
> what their values are - they only want "Map Network Drive"
> to work and get something done. I suspect the computer
> on Apollo missions could have achieved this range computation.

I will tell you why looking in /etc/passwd will not work, Michael has
pointed out that with 'winbind use default domain = yes' in smb.conf,
you only have one user 'fred' and he cannot exist in two places at once.
If you don't have that line in smb.conf, as Jeremy pointed out, you can
have a user called 'fred' in /etc/passwd and another user called 'fred'
in AD, but they would not be the same user.

As for the Apollo computer, I doubt it would have had the spare
capacity to do what you suggest, it was too busy doing everything else.

Rowland

[Rowland Penny via samba]

On Tue, 9 Aug 2016 15:21:53 -0300
francis picabia via samba <sa...@lists.samba.org> wrote:

> On Tue, Aug 9, 2016 at 3:00 PM, Rowland Penny via samba <
> sa...@lists.samba.org> wrote:
>

>
> Now we *can* have a Unix user in AD?

Well sort of, you can 'extend' a Windows user by adding RFC2307
attributes and this will make (as far as the Unix OS is concerned) the
user a Unix user

>
> I'm not sure which of the three statements has any meaning. I don't
> know if English is your native language, but there are differences in
> truth logic in the three ways the statement on user mapping support
> has been made.

Well, my native language probably was something along the lines of
'goo-goo-gagga', but then I learnt English and have been speaking it
for the last 60 years, but thanks for pointing out my supposed mistakes.

>
> I've been working with the third statement being true and exercising
> the rid option.

Can I suggest you put it back, or add the RFC2307 attributes and use
the winbind 'ad' backend instead.

Rowland

[francis picabia via samba]

On Tue, Aug 9, 2016 at 3:35 PM, Rowland Penny via samba <
sa...@lists.samba.org> wrote:

> On Tue, 9 Aug 2016 15:21:53 -0300
> francis picabia via samba <sa...@lists.samba.org> wrote:
>
> > I've been working with the third statement being true and exercising
> > the rid option.
>
> Can I suggest you put it back, or add the RFC2307 attributes and use
> the winbind 'ad' backend instead.
>

ex·er·cise
ˈeksərˌsīz/

noun

the use or application of a faculty, right, or process.

[Rowland Penny via samba]

On Tue, 9 Aug 2016 16:04:04 -0300

francis picabia via samba <sa...@lists.samba.org> wrote:

> On Tue, Aug 9, 2016 at 3:35 PM, Rowland Penny via samba <
> sa...@lists.samba.org> wrote:
>
> > On Tue, 9 Aug 2016 15:21:53 -0300
> > francis picabia via samba <sa...@lists.samba.org> wrote:
> >
> > > I've been working with the third statement being true and
> > > exercising the rid option.
> >
> > Can I suggest you put it back, or add the RFC2307 attributes and use
> > the winbind 'ad' backend instead.
> >
>
> ex·er·cise
> ˈeksərˌsīz/
>
> noun
>
> the use or application of a faculty, right, or process.

Thank you for pointing out another of my mistakes, I thought it was a
spelling mistake on your part, so I (again) apologise for that mistake.
I also apologise for anything else I might have done that upset you.

Can we now put this to bed and stop nit-picking every slight mistake.

Rowland

[francis picabia via samba]

> <https://lists.samba.org/mailman/options/samba>
>

That's like saying a beer poured from a bottle into the glass is not the
same beer.
If that is what all this disagreement has been about, it is very sad.

We've modified our smb.conf shares about 10 years ago to have
valid users with MYDOM\user and it has worked very well. It is
still working well for the most part.

[Rowland Penny via samba]

If you cannot understand that 'fred' and 'DOMAIN\fred' are different
users, then try and understand it this way, user 'fred' is not the same
user as 'barney', do you agree with this ?
Now replace 'barney' with 'DOMAIN\fred', the 'DOMAIN\' bit makes him a
different user.

>
> We've modified our smb.conf shares about 10 years ago to have
> valid users with MYDOM\user and it has worked very well. It is
> still working well for the most part.

Yes and in ten years, a very lot of Samba has changed.

Rowland

[Michael Adam via samba]

No, these two are two different objects.
They (winbind use default domain just obfuscates that fact).

They are different users the same way as user from two
different AD domains with the same username are different
users. In that case you would not claim that they
are the same (DOM1\user and DOM2\user), because they
also have different sids.

Unix does not have worldwide unique user ids (alas!), but still a
user brought in from a AD is different from the local user.

So it's not cosmetic. It's fundamental.

Michael

[Steve Ankeny via samba]

On 08/09/2016 03:29 PM, francis picabia via samba wrote:
> We've modified our smb.conf shares about 10 years ago to have
> valid users with MYDOM\user and it has worked very well. It is
> still working well for the most part.

10 years ago Samba was configured as a traditional NT Domain, not so
Active Directory.

It's not "pouring beer from a bottle (NT Domain) into a glass (AD)" but
"opening a 'new' bottle of beer"

In other words, it's two different sets of users (one described by
smb.conf and the other in the AD LDAP DB)

[Steve Ankeny via samba]

On 08/09/2016 03:18 PM, Rowland Penny via samba wrote:
> On Tue, 9 Aug 2016 16:04:04 -0300
> francis picabia via samba <sa...@lists.samba.org> wrote:
>
>> On Tue, Aug 9, 2016 at 3:35 PM, Rowland Penny via samba <
>> sa...@lists.samba.org> wrote:
>>
>>> On Tue, 9 Aug 2016 15:21:53 -0300
>>> francis picabia via samba <sa...@lists.samba.org> wrote:
>>>
>>>> I've been working with the third statement being true and
>>>> exercising the rid option.
>>> Can I suggest you put it back, or add the RFC2307 attributes and use
>>> the winbind 'ad' backend instead.
>>>
>> ex·er·cise
>> ˈeksərˌsīz/
>>
>> noun
>>
>> the use or application of a faculty, right, or process.
>
> Thank you for pointing out another of my mistakes, I thought it was a
> spelling mistake on your part, so I (again) apologise for that mistake.
> I also apologise for anything else I might have done that upset you.
>
> Can we now put this to bed and stop nit-picking every slight mistake.
>
> Rowland
>

I'm not sure what your mistake was but "exercise" is being used as a
verb in the sentence above.

exercised exercising <http://www.merriam-webster.com/dictionary/exercise>

transitive verb

1 /a/ : to make effective in action : use
<http://www.merriam-webster.com/dictionary/use> /<didn't /exercise/ good
judgment>/

///b/ : to bring to bear : exert
<http://www.merriam-webster.com/dictionary/exert> /</exercise/ influence>/

///c/ : to implement the terms of (as an option)

'Course, it means much the same as what it means as a noun.

(caveat: I am a teacher by vocation)

[James B. Byrne via samba]

On Tue, August 9, 2016 14:00, Rowland Penny wrote:
>
> That was the old way, if you are using AD, you do not need Unix users
> in /etc/passwd and in fact, you should not have users in
> both /etc/passwd and AD.

> To make an AD user a Unix user, either add RFC2307 attributes to the
> users object in AD and then use the winbind 'ad' backend, or use the
> 'rid' backend, in which case you do not have to add anything to AD.

I have zero experience with this so my question may appear fairly
naive. What about user home directories and shells on *NIX hosts
other than the AD-DC? I read somewhere that user UNIX Attributes
other than UID and GID are not implemented in Samba.


My use-case would be sshd session authentication on a remote host
using an AD-DC PAM module.


--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne mailto:Byr...@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

[Rowland Penny via samba]

On Tue, 9 Aug 2016 22:22:55 -0400
"James B. Byrne via samba" <sa...@lists.samba.org> wrote:

>
> On Tue, August 9, 2016 14:00, Rowland Penny wrote:
> >
> > That was the old way, if you are using AD, you do not need Unix
> > users in /etc/passwd and in fact, you should not have users in
> > both /etc/passwd and AD.
> > To make an AD user a Unix user, either add RFC2307 attributes to the
> > users object in AD and then use the winbind 'ad' backend, or use the
> > 'rid' backend, in which case you do not have to add anything to AD.
>
> I have zero experience with this so my question may appear fairly
> naive. What about user home directories and shells on *NIX hosts
> other than the AD-DC? I read somewhere that user UNIX Attributes
> other than UID and GID are not implemented in Samba.
>
>
> My use-case would be sshd session authentication on a remote host
> using an AD-DC PAM module.
>
>

I think you have misunderstood this, if you use a Samba AD DC as a
fileserver, then winbindd only uses the uidNumber & gidNumber
attributes. On a Unix domain member, winbindd will use all available
RFC2307 attributes, including loginShell & unixHomeDirectory.

Rowland

[francis picabia via samba]

On Tue, Aug 9, 2016 at 4:47 PM, Steve Ankeny via samba <

Yep, that's right. I used a verb and gave a definition for the noun from
which it is derived and shares
common meaning.

By the initial response ("put it back") I suspect he initially read it as
"excise" or "excising" - to remove something.

[Michael Adam via samba]

On 2016-08-09 at 15:05 -0300, francis picabia wrote:
> On Tue, Aug 9, 2016 at 2:48 PM, Michael Adam <ob...@samba.org> wrote:
> >
> > Why are you so keen on starting a range directly above the
> > smallest used id number from the files?
> >
>
> I'd like to see it documented in plain terms, not formula where
> few people know what "rid in sid" means. It seems to me if
> it were documented for the type security = ads case for
> Linux, this would be a template to start with, and not
> looking for magic values as many users have come to
> rely on (see the Samba and Debian bug reports for people
> who think the range beginning at 1000 was some magic solution).
>
> Look, you get into your car, and do you look at an RPM value
> and gear indicator, compute the tire size P215R16
> and figure out the speed? No, there is a calibrated instrument for it.

That comparison is invalid, imho: What you as an administrator
of a Samba installation are doing is providing such a smooth
experience for the car drivers. Imagine you, the admin, as
someone who assembles that car from pre-manufactured pieces
that need to be adapted and put together appropriately.
Some of these parts are very general and can be adapted for
many different kinds of cars. So you have to be knowledgeable
in adapting the part to the circumstances.

Likewise Samba is a very flexible tool.
You can adapt it to many special circumstances.
Hence you as the admnistrator need to have a good
amount of understanding of how it works and fits
together. It is this understanding that I was trying
to increase with my first explanation which you
found to analytical.

I am all in for keeping things simple and automatic,
but given the versatility of use cases, especially
id-mapping setup is currently not that automatic in Samba.

If you find it too cumbersome and don't want to dig
that deeply into ad-integration and id-mapping, then
you could consider some of the appliances out there.
There are systems that have put Samba into into a much
more narrow set of use-cases, providing easy guis for
their supported setups, so you don't need to bother
about all the details below.

> Well, what is sitting in front of us, a frigging computer!
>
> Why can't samba/winbind look at nsswitch, determine there is
> nothing like NIS and LDAP, lookup the UID values in /etc/passwd,
> and make ranges on the fly? The end user does not care
> what their values are - they only want "Map Network Drive"
> to work and get something done.

The end user will never see it or care.
But the admin who sets up the server will have to!

Sure, samba could try to be clever and
automagically come up with something.
And it would even work in many cases.
But it will also break quite some.

Er ... Avoid using 'winbind use default domain = Yes'.

> > > idmap config mydom : range = 100001-110000
> > > idmap config mydom : backend = rid
> > > idmap config *:range = 65535-100000
> > > idmap config * : backend = tbd
> >
> > Typo in the config? tdb <--> tbd ?
>
> I've tried with only the rid backend and always the same behaviour.

you need the * config.
But you have a typo in your backend spelling.
It has to be 'tdb', not tbd' ....

> It is a documented bug.

What is a documented bug?
Up to now, I think I have only seen expected
behavior in your descriptions.

Cheers - Michael

[francis picabia via samba]

On Tue, Aug 9, 2016 at 4:56 PM, Steve Ankeny via samba <
sa...@lists.samba.org> wrote:

> On 08/09/2016 03:29 PM, francis picabia via samba wrote:
>
>> We've modified our smb.conf shares about 10 years ago to have
>> valid users with MYDOM\user and it has worked very well. It is
>> still working well for the most part.
>>
>
> 10 years ago Samba was configured as a traditional NT Domain, not so
> Active Directory.
>
> It's not "pouring beer from a bottle (NT Domain) into a glass (AD)" but
> "opening a 'new' bottle of beer"
>
> In other words, it's two different sets of users (one described by
> smb.conf and the other in the AD LDAP DB)
>
>

Ha ha. I wondered last night if the beer analogy would work best, and it
seems so.

Here is why it is not a new bottle of beer.

The right hand is pouring the bottle, and the left hand is holding the
glass,
tilted slightly to avoid frothing, so the user is most pleased. In between
the hands there is an administrative unit known as the brain which has
established a
trust between the left and the right hand being under a common
administration.

There are indeed organizations where the left hand doesn't know what
the right hand is doing, but in general that is not the case, and we have
checks to keep things aligned.

There may be a reason why a developer would want to assume
this is a new bottle of beer in light of recent security issues.

On a few dozen systems running Linux and Solaris and in production,
MYDOM\username = username as far as we are concerned. It isn't
unique to Samba. Many applications have a local user which
maps to the AD user and make the assumption they are the same,
which we can do because we administer both ends. We're not
talking about self-sign up portals and mailing lists, but things
which are under one administration.

Other than the case of bug report 10604 and Samba 4.2.10 on Debian,
this solution has been working well for us.

[Rowland Penny via samba]

On Wed, 10 Aug 2016 10:42:11 -0300
francis picabia via samba <sa...@lists.samba.org> wrote:

>
> On a few dozen systems running Linux and Solaris and in production,
> MYDOM\username = username as far as we are concerned. It isn't
> unique to Samba. Many applications have a local user which
> maps to the AD user and make the assumption they are the same,
> which we can do because we administer both ends. We're not
> talking about self-sign up portals and mailing lists, but things
> which are under one administration.
>
> Other than the case of bug report 10604 and Samba 4.2.10 on Debian,
> this solution has been working well for us.

Sorry, but you still don't seem to have got the message, you map local
Unix users to AD users only if you are using Samba as a standalone
server or in an NT4-style domain.

You do not map users in an AD domain, you make the AD users become
local Unix users by adding RFC2307 attributes or by using the winbind
'rid' backend, this way, you do not need the users in /etc/passwd and
in fact, they must not be in /etc/passwd

rowland@devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

rowland@devstation:~$ cat /etc/passwd | grep rowland
rowland@devstation:~$
rowland@devstation:~$

As you can see, I exist as a local Unix user, but I am not
in /etc/passwd

Rowland

[francis picabia via samba]

On Wed, Aug 10, 2016 at 11:04 AM, Rowland Penny via samba <

We're not interested in that solution. On one system I may have tcsh shell,
or bash on another. We have different home paths on different systems as
well.
These systems have local storage, not a SAN providing /home/MYDOM/username
to a user on any system. I can't imagine how ssh keys would be handled
with one big unified home directory scheme.

I believe we are using it like NT4 style domain with rid user mapping. AD
is running
on Windows servers.

[James B. Byrne via samba]

On Wed, August 10, 2016 03:59, Rowland Penny wrote:
> On Tue, 9 Aug 2016 22:22:55 -0400
> "James B. Byrne via samba" <sa...@lists.samba.org> wrote:
>>
>> I have zero experience with this so my question may appear fairly
>> naive. What about user home directories and shells on *NIX hosts
>> other than the AD-DC? I read somewhere that user UNIX Attributes
>> other than UID and GID are not implemented in Samba.
>>
>>
>> My use-case would be sshd session authentication on a remote host
>> using an AD-DC PAM module.
>>
>>
>
> I think you have misunderstood this, if you use a Samba AD DC as a
> fileserver, then winbindd only uses the uidNumber & gidNumber
> attributes. On a Unix domain member, winbindd will use all available
> RFC2307 attributes, including loginShell & unixHomeDirectory.
>

You are correct. I did not know this. So that I can get this clear in
my own head let me restate this case by case:

1. Logon to AD from a Windows OS domain member. User obtains UID,
GID from LDAP but ignores shell (there is no alternative to MS-Windows
on the client) and the home directory (which is the USERS home drive
share or local drive in any case).

2. Logon to AD from a *NIX OS domain member. User obtains UID, GID,
shell, and home directory path from AD.

Is this correct?

Is there a reference as to how UNIX hosts are added to the Domain
(SSSD?) or is that unnecessary? I ask because one of my goals is to
implement a single sign-on for our Unix host users via the Samba AD.
These machines come and go but not with any great frequency. Many are
themselves virtualised. Most are accessed via ssh or using OPENVPN
(which will be certificate based anyway).

I am hoping that adding the PAM AD authentication will alleviate some
of the tediousness of setting up temporary hosts for an unknown number
of users. Respecting which, are there references to any scripts that
can be run to automatically set-up a user's home directory upon first
login to an AD authenticated *NIX host?

Sincerely,

--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne mailto:Byr...@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

[Rowland Penny via samba]

On Wed, 10 Aug 2016 11:36:45 -0300

Can I introduce you to a couple of smb.conf settings:

template shell = /bin/bash
template homedir = /home/%U

These, along with the winbind 'rid' backend, will extend your
AD users and do what you require, with the extra benefit of only having
one place to store your users authentication info.

> These systems have local storage, not a SAN
> providing /home/MYDOM/username to a user on any system. I can't
> imagine how ssh keys would be handled with one big unified home
> directory scheme.

Can I also introduce you to the concept of using kerberos with ssh

>
> I believe we are using it like NT4 style domain with rid user
> mapping. AD is running
> on Windows servers.

NT4-style domain != AD domain

Rowland

[Rowland Penny via samba]

On Wed, 10 Aug 2016 11:16:36 -0400
"James B. Byrne via samba" <sa...@lists.samba.org> wrote:


>
> You are correct. I did not know this. So that I can get this clear in
> my own head let me restate this case by case:
>
> 1. Logon to AD from a Windows OS domain member. User obtains UID,
> GID from LDAP but ignores shell (there is no alternative to MS-Windows
> on the client) and the home directory (which is the USERS home drive
> share or local drive in any case).

No, it is only if you log into the DC that you only get the IDs,
anywhere else and you can use the RFC2307 attributes if they are set.

>
> 2. Logon to AD from a *NIX OS domain member. User obtains UID, GID,
> shell, and home directory path from AD.

Sort of, it all depends on how smb.conf on the domain member is set up.

If you want to obtain the info from AD, it must be in AD and Samba must
be set up to get it.

Try reading this wiki page:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

>
> Is there a reference as to how UNIX hosts are added to the Domain

That is on the wiki page, but it fairly simple, set up the host
correctly including smb.conf and then run:

net ads join -U Administrator

> (SSSD?) or is that unnecessary?

The only place where you may need sssd, is on a DC and then only if you
want to use it as a fileserver along with using the RFC2307 attributes
stored in AD.

> I ask because one of my goals is to
> implement a single sign-on for our Unix host users via the Samba AD.

If you mean storing your Unix users in AD and then allowing them to
login to Unix machines that are joined to the domain, then this is
very possible. The users home directories don't have to exist, you can
set PAM to create these at login.

> These machines come and go but not with any great frequency. Many are
> themselves virtualised. Most are accessed via ssh or using OPENVPN
> (which will be certificate based anyway).
>
> I am hoping that adding the PAM AD authentication will alleviate some
> of the tediousness of setting up temporary hosts for an unknown number
> of users. Respecting which, are there references to any scripts that
> can be run to automatically set-up a user's home directory upon first
> login to an AD authenticated *NIX host?

You do this by adding this line to /etc/pam.d/common-account

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022"

Rowland

[francis picabia via samba]

On Wed, Aug 10, 2016 at 12:17 PM, Rowland Penny via samba <

> In my world, one user wants zsh, another wants bash.
In my world home directories can involve departments in
the homedir path on only certain servers.

There are likely a dozen flaming hoops I could set up
to make every legacy thing work, but it would be
too much effort and admin overhead for what it does.

/etc/passwd did everything we needed and it still does.

> > These systems have local storage, not a SAN
> > providing /home/MYDOM/username to a user on any system. I can't
> > imagine how ssh keys would be handled with one big unified home
> > directory scheme.
>
> Can I also introduce you to the concept of using kerberos with ssh
>

That might be interesting, as we could turn off winbind, allowing
file shares and AD authentication to work reliably.

> >
> > I believe we are using it like NT4 style domain with rid user
> > mapping. AD is running
> > on Windows servers.
>
> NT4-style domain != AD domain
>

[Rowland Penny via samba]

On Wed, 10 Aug 2016 13:12:37 -0300
francis picabia <fpic...@gmail.com> wrote:

>
> That might be interesting, as we could turn off winbind, allowing
> file shares and AD authentication to work reliably.
>

I give in, that's me waving the white flag over there, just set Samba
up as you like, it probably won't be the right way, but hey, they are
your machines and you can do as you like.

Now, please go away

Rowland

[James B. Byrne via samba]

On Wed, August 10, 2016 11:47, Rowland Penny wrote:

>> 1. Logon to AD from a Windows OS domain member. User obtains UID,
>> GID from LDAP but ignores shell (there is no alternative to
>> MS-Windows
>> on the client) and the home directory (which is the USERS home drive
>> share or local drive in any case).
>
> No, it is only if you log into the DC that you only get the IDs,
> anywhere else and you can use the RFC2307 attributes if they are set.
>

Got it. Thanks.

Thank you for this. You have been most helpful.

--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne mailto:Byr...@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3