IMHO: Winbind in Samba4
Gémes Géza
geza at kzsdabas.sulinet.hu
Sun Jan 9 14:28:18 GMT 2005
Stefan (metze) Metzmacher írta:
> Gémes Géza schrieb:
> | Richard Sharpe írta:
> |
> |> On Sun, 9 Jan 2005, Simo Sorce wrote:
> |>
> |>
> |>
> |>>>> |>>
> |>>>> |>>Well, some NAS boxes will be like that. Probably the smaller
> |>>>> stand-alone
> |>>>> |>>NAS boxes. However, larger NAS boxes are most likely to be a
> member
> |>>>> |>>server.
> |>>>> |>
> |>>>> |>Same thing, the NAS box will have a local SAM anyway, and may well
> |>>>> |>consider its SAM + the DC SAM to be authoritative, and never
> |>>>> require you
> |>>>> |>to do the round-trip, but go directly to ask winbindd.
> |>>>> |
> |>>>> |
> |>>>> | Ummm, we do not want a local SAM. All account and group
> |>>>> information should
> |>>>> | be in LDAP or NIS and the PDC's SAM.
> |>>>>
> |>>>> then just don't use it, there'll be only the builtin aliases and
> |>>>> the local administrator
> |>>>> and guest (disabled) by default.
> |>>>> (just like a just installed windows member server)
> |>>>>
> |>>>
> |>>> Sure, I was just pointing out to Simo that there are many ways that
> |>>> people
> |>>> want to use these things.
> |>>>
> |>>
> |>> I know, people generally do not want to manage users on a NAS box, but
> |>> NASes are just one of the targets of samba4.
> |>> We need to be as compatible as we can, so we will implement all it is
> |>> necessary and probably something more :-)
> |>>
> |>
> |>
> |> Ahhh, so we are in violent agreement then :-)
> |>
> |> Regards
> |> -----
> |> Richard Sharpe, rsharpe[at]richardsharpe.com, rsharpe[at]samba.org,
> |> sharpe[at]ethereal.com, http://www.richardsharpe.com
> |>
> |>
> |>
> | This is how I could imagine the Samba4 Winbind and *nix OS interaction
> | (see attached ASCII graphic)
> | With storing posix attributes in Samba4's LDAP server winbinds job is
> | just to retrive them, much like the nss_ldap does, the only difference
> | beeing in doing a recursive search for group membership.
> | Maybe better to get a ticket on behalf of the user, and lookup the SIDs
> | obtained from the PAC, to get the uid and gids, and coresponding posix
> | attributes.
>
> Why do you want to have a difference between the cases if you have a
> samba4 dc or a ms dc?
> I think we should handle both the same way.
>
Sorry I wasn't clear in telling my ideas. I was thinking about
implementing an AD schema compliant Posix schema, which could be applied
to Windows AD DCs too, but which would be shipped with the Samba4 AD DC.
> And also winbind should export the local SAM(dsdb) accounts and groups
> dirrently from the database
>
I agree at this point. But local SAM to Posix mappings don't seems to me
to be so important at first in a domain environment.
> --
> metze
>
> Stefan Metzmacher <metze at samba.org> www.samba.org
Cheers,
Geza
More information about the samba-technical
mailing list