winbindd_idmap.tdb recovery

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Mon Feb 11 06:21:08 GMT 2002


Hi Martin,
Yes, this would be ideal - it would be a pity to have to implement
some sort of 'pseudo-sam' syncronization engine for winbindd, essentially
duplicating DC type of functionality on machines that are, after all
'member servers' in the win2k domain, for all practical purposes.
As I recall, M$ came up with something called SFU (Services for Unix)
which expanded the AD ldap entry such that unix info (like UID field)
was contained with each user.  I haven't heard much about SFU from M$,
so I don't know how active this product is, but perhaps that could be 
an option.  I'd have to look into it, but I think that it DEPENDED on
a unix account existing, and being able to grab the uid/gid pair for 
the user FROM the unix account - I can't remember.  Of course with 
winbindd, the purpose is not to HAVE a unix user account, so we'd have
to do something like checking for a valid uid/gid pair in AD and if 
uninitialized, fill it in ourselves...
I'll stop theorizing based on little knowlege of the product.  But two
big holes are 1) SFU used to be an addon product, so you couldn't count
on it being there. 2)Don't know if the mechanisms for getting/modifying
the extra unix fields are exposed so that we could use them...
Would be worth looking into, though!
Don

-----Original Message-----
From: Martin.Sheppard at csiro.au [mailto:Martin.Sheppard at csiro.au]
Sent: Sunday, February 10, 2002 2:33 AM
To: don_mccall at hp.com; Jean-Francois.Micouleau at dalalu.fr
Cc: michael_steffens at hp.com; tpot at samba.org; samba-technical at samba.org
Subject: RE: winbindd_idmap.tdb recovery


I'll just add my 2 cents into this discussion. I know it wouldn't suit
everybody, but in my organisation it would seem that the most appropriate
place to store the UID mapping is by having a UID field for user objects in
Active Directory. That way you get a consistent mapping across the
organisation without going to the trouble of writing your own distributed
database. It also gives you the possibility of looking at using either
nss_ldap or winbind on the clients depending on which is more appropriate. 

Has any thought been given to having winbind be able to operate in this way?

Cheers,

Martin.

-----Original Message-----
From: Jean Francois Micouleau [mailto:Jean-Francois.Micouleau at dalalu.fr]
Sent: Friday, February 08, 2002 5:08 PM
To: MCCALL,DON (HP-USA,ex1)
Cc: 'samba-technical at samba.org'
Subject: RE: winbindd_idmap.tdb recovery

The only other 'automatic' way I see around this is to go ahead and assign
on a 1st come 1st serve basis, but require all the samba member servers in a
particular domain to know about each other, and implement some sort of
winbindd_idmap multiple master scheme, where if you didn't find a local map
for the sid comming in, before you did the mapping, you checked with your
'samba ring' to see if the sid had been mapped anywhere else, and use
the same mapping.  And with all the syncronization problems, etc. this could
be a nightmare to bulletproof.

Thanks for continuing the conversation!
Don




More information about the samba-technical mailing list