[Samba] Active directory and winbind RID/SID to uid and gid maping across several linux servers

[Reece Dike]

Dale,

Thanks for the information and the link.  We are just now trying to
implement this and we have not implemented this on any production
servers.  I need to talk with my security person to see if we
have/planning to have trusted domains.  If we do then I will have to go
with the ldap/ADS solution that was in the link you gave.

Thanks again,
Reece

Dale Schroeder wrote:
> Reece,
>
> idmap backend = rid:MYDOMAIN=15000-20000
>
> will create consistent mappings, _*but*_ be aware that enabling this
> parameter will break all your existing mappings,
> and you will have to reset permissions on your Redhat servers. 
> Obviously, this is not desirable on production
> systems.  However, once this is done, you will continue to have the
> same mappings on any existing and
> similarly configured future Samba servers.  Only you can determine if
> it is worth the time and effort to do this.
> We have four servers configured this way, and users have the same
> uid/gid on each system.
>
> Comparison of idmap backends:
> http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2598850
>
>
> Dale
>
>
> Reece Dike wrote:
>> We are using a windows server 2003 active directory as our single sign
>> on server.  I have been able to get our RHEL4U6 servers to authenticate
>> with active directory.
>>
>> My concern is that the RID mapping to unix uid/gid range (15000-20000)
>> is stored locally on each machine in a tdb database.  So far all of the
>> servers have produced the same mapping, but I do not think it is
>> guarantied. I think the fact that I do a wbinfo -u and wbinfo -g as part
>> of the setup and there have been no users/groups added to active
>> directory has made the mappings the same.  I know that the uid/gid are
>> not being store in active directory(I did a 'dsquery * -scope base
>> -attrib *' on my id in active directory).  Is there any way to guaranty
>> the RID to uid/gid mapping across several servers?
>>
>>
>> Thanks,
>> Reece Dike
>>
>>
>>
>> Here is my smb.conf
>> [global]
>>    workgroup = MYDOMAIN
>>    server string = Samba Server Version %v
>>    security = ADS
>>    password server = 68.216.162.90
>>    realm = MYDOMAIN.COM
>>    passdb backend = tdbsam
>>    load printers = yes
>>    cups options = raw
>>    template shell = /bin/false
>>    server signing = autos
>>    idmap uid = 15000-20000
>>    idmap gid = 15000-20000
>>    winbind enum groups = yes
>>    winbind enum users = yes
>>    winbind separator = +
>>    winbind use default domain = no
>>    template homedir = /homes/%D/%U
>>    template shell = /bin/bash
>>
>> [homes]
>>         comment = Home Directories
>>         browseable = no
>>         writable = yes
>>
>> [printers]
>>         comment = All Printers
>>         path = /var/spool/samba
>>         browseable = no
>>         guest ok = no
>>         writable = no
>>         printable = yes
>>
>> [usbshare]
>> comment = Backups and Stuff
>> path = /usbdrive
>> valid users = +"MYDOMAIN+Domain Users"
>> read only = no
>>
>>
>>   
>