nielsd
Cadet
- Joined
- Apr 22, 2022
- Messages
- 3
Hi all,
old PDC + AD
we have a Samba PDC ("server") with AD (managed by Windows RSAT) with Roaming Profiles on a old "FreeNAS 10".
The "server" config
Joined a second / new PDC+ AD
I've added a new redundant Samba PDC with AD ("pdc2") to the Domain just by join which syncs fine with the old Samba PDC / AD and providing the same Unix UIDs/GIDs:
The PDC2 config (as default / auto created by samba init):
Join new TrueNAS as NAS (only reads users/groups from AD)
but when i try to attach a new TrueNAS system - it should provide Samba shares - i'm unable to "match" the Unix UID/GID idmap-ping in any way (while TrueNAS persist to set idmaps in the config):
I tried to play with RID as AUTORID but did not provide consistent UID/GIDs.
How can i caclulate the correct RID? The official docs are very diffuse to me how to get and calculate the correct ranges.
Or does Any other IDMAP mech suits here better?
TrueNAS (nas3) should only provide NAS shares (from ZFS) with the Users/Groups from AD without any local/own user management.
many thanks,
niels.
old PDC + AD
we have a Samba PDC ("server") with AD (managed by Windows RSAT) with Roaming Profiles on a old "FreeNAS 10".
Code:
[root@server] ~# wbinfo -i "SRG2\niels" SRG2\niels:*:3000187:20:
The "server" config
Code:
[global] server min protocol = CORE server max protocol = SMB3 encrypt passwords = yes dns proxy = no strict locking = no oplocks = yes deadtime = 15 max log size = 51200 max open files = 941843 logging = file load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes getwd cache = yes guest account = nobody map to guest = Bad User obey pam restrictions = yes directory name cache size = 0 kernel change notify = no panic action = /usr/local/libexec/samba/samba-backtrace nsupdate command = /usr/local/bin/samba-nsupdate -g server string = SRG Server (neu) ea support = yes store dos attributes = yes lm announce = yes time server = yes null passwords = yes acl allow execute always = true dos filemode = yes multicast dns register = yes domain logons = yes local master = yes idmap config *: backend = tdb idmap config *: range = 1000-100000000 server role = active directory domain controller netbios name = SERVER workgroup = SRG2 realm = SRG2.LOCAL dns forwarder = 192.168.123.254 idmap_ldb:use rfc2307 = yes create mask = 0660 directory mask = 0770 client ntlmv2 auth = yes dos charset = CP437 unix charset = UTF-8 log level = 2 tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem logon path = \\%L\profiles\%U logon drive = L: preexec = /mnt/pool/admin_tools/sbin/netlogon_create %U nsupdate command = samba_dnsupdate wins support = yes unix extensions = no [sysvol] path = /var/db/samba4/sysvol read only = no vfs objects = zfs_space zfsacl nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfsacl:acesort = dontcare [netlogon] path = /var/db/samba4/sysvol/srg2.local/scripts read only = no vfs objects = zfs_space zfsacl nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfsacl:acesort = dontcare [antivir] path = ... ...
Joined a second / new PDC+ AD
I've added a new redundant Samba PDC with AD ("pdc2") to the Domain just by join which syncs fine with the old Samba PDC / AD and providing the same Unix UIDs/GIDs:
Code:
root@pdc2:~ # wbinfo -i "SRG2\niels" SRG2\niels:*:3000187:20:
The PDC2 config (as default / auto created by samba init):
Code:
root@pdc2:~ # cat /usr/local/etc/smb4.conf # Global parameters [global] netbios name = PDC2 realm = SRG2.LOCAL server role = active directory domain controller workgroup = SRG2 ### added by me wins support = yes # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes ### end [sysvol] path = /var/db/samba4/sysvol read only = No [netlogon] path = /var/db/samba4/sysvol/srg2.local/scripts read only = No
Join new TrueNAS as NAS (only reads users/groups from AD)
but when i try to attach a new TrueNAS system - it should provide Samba shares - i'm unable to "match" the Unix UID/GID idmap-ping in any way (while TrueNAS persist to set idmaps in the config):
Code:
root@nas3:~ # wbinfo -i "SRG2\niels" wbinfo -i "SRG2\niels" SRG2\niels:*:1001333:1000513::
I tried to play with RID as AUTORID but did not provide consistent UID/GIDs.
How can i caclulate the correct RID? The official docs are very diffuse to me how to get and calculate the correct ranges.
Or does Any other IDMAP mech suits here better?
TrueNAS (nas3) should only provide NAS shares (from ZFS) with the Users/Groups from AD without any local/own user management.
many thanks,
niels.