How to setup samba share for active directory user group?

S

speedvm2015-10-21 14:04:18

Debian

speedvm, 2015-10-21 14:04:18

Good day to all!
There is a domain on Windows AD. It has many containers with even more users. Raised the samba server on Debian 8. Specified in smb.conf the idmap range - 10000-11000, and the group for access to the ball. How to set up the samba server so that only users of this group get into the idmap? The fact is that there are a lot of users, expanding the idmap range is fraught with a large request processing time (as it seems to me).

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

Rsa97, 2015-10-21
@Rsa97

Set up rid as the backend, then the user id in Linux will match the RID (last part of the SID) in windows. I've done it like this:

#---
   idmap config * : backend = tdb
   idmap config * : range = 1300000-1999999
   idmap config <мой домен> : backend = rid
   idmap config <мой домен> : range = 100 - 999999
   idmap config <мой домен> : base_rid = 100
   idmap config BUILTIN : backend = rid
   idmap config BUILTIN : range = 1000000 - 1099999
   idmap config BUILTIN : base_rid = 0
   idmap config NT AUTHORITY : backend = rid
   idmap config NT AUTHORITY : range = 1100000 - 1199999
   idmap config NT AUTHORITY : base_rid = 0
   idmap config <имя сервера> : backend = rid
   idmap config <имя сервера> : range = 1200000 - 1299999
   idmap config <имя сервера> : base_rid = 0
#---

No brakes, user and group id are the same on all Samba servers in the domain and are not lost when tdb is damaged.
Yes, there are about two hundred users in the domain.

S

speedvm, 2015-10-21
@speedvm

The fact is that there are about five hundred users in my container, and about 100,000 users across the entire domain. If you just change the range, then which one can be taken for range?
Changed range to idmap config * : range = 100000-200000, reset winbind cache. I think now id is enough for all domain objects.