[Samba] Trying to get uid and gid to match and getent to work
phwashington at tx.rr.com
phwashington at tx.rr.com
Tue Nov 11 21:27:50 GMT 2008
Thanks, I'm working on the solution. You are probably not the only one who
hasn't tested this out. So far I have gotten the other ldap server up. And was
also successful in shutting down 2 file servers which have been operational for
2 years. All I did was set the the ldap log level to 8 on the Samba-ldap PDC.
I'll keep working on it, but I'm not convinced that an LDAP backend is all that
efficient now. Especially considering we only have 200 entities in the
database( Users, Computers, Groups).
---- Johan Hendriks <Johan at double-l.nl> wrote:
>
>
>
> >---- phwashington at tx.rr.com wrote:
> >> I am using the following in my smb.conf on samba-3.0.28-0.el5.8
> >>
> >> ..... snip .....
>
> >Okay, I was able to get getent to work.
> >had to go back to ldconfig to get the library files to load the variants of libnss_winbind.
> >
> >So now am trying to get it to allow domain users to login and get the uid's and gid's to match across servers.
>
>
> The way to do this is to use an ldap backend on the file servers
> On one Member server the ldap is the master, and on all the others the ldap servers are slave's
> I have not tested this (my network is not that large).
>
> but this is also mentioned in the following doc
> http://us3.samba.org/samba/docs/man/Samba-Guide/
>
> Then in chapter 7 at the end there is the following:
>
> What are the benefits of using LDAP for my domain member servers?
>
> The key benefit of using LDAP is that the UID of all users and the GID of all groups are globally consistent on domain controllers as well as on domain member servers. This means that it is possible to copy/replicate files across servers without loss of identity.
>
> When use is made of account identity resolution via winbind, even when an IDMAP backend is stored in LDAP, the UID/GID on domain member servers is consistent, but differs from the ID that the user/group has on domain controllers. The winbind allocated UID/GID that is stored in LDAP (or locally) will be in the numeric range specified in the idmap uid/gid in the smb.conf file. On domain controllers, the UID/GID is that of the POSIX value assigned in the LDAP directory as part of the POSIX account information.
>
>
> One more thing if you use the guide in chapter 7 and you come to the part of editing the nsswitch.conf file, do not use ldap there but winbind
> The guide tells you to do this.
> Edit the NSS control file /etc/nsswitch.conf so it has the following entries:
>
> ...
> passwd: files ldap
> shadow: files ldap
> group: files ldap
> ...
> hosts: files wins
>
> Use this instead.
>
> Edit the NSS control file /etc/nsswitch.conf so it has the following entries:
>
> ...
> passwd: files winbind
> shadow: files winbind
> group: files winbind
> ...
> hosts: files wins
>
> I hope this helps..
>
> regards,
> Johan Hendriks
> Double L Automatisering
Thanks, I'm working on the solution. You are probably not the only one who
hasn't tested this out. So far I have gotten the other ldap server up. And was
also successful in shutting down 2 file servers which have been operational for
2 years. All I did was set the the ldap log level to 8 on the Samba-ldap PDC.
I'll keep working on it, but I'm not convinced that an LDAP backend is all that
efficient now. Especially considering we only have 200 entities in the
database( Users, Computers, Groups).
More information about the samba
mailing list