Samba4 ADS BDC howto/help/status, please?
Matthieu Patou
mat+Informatique.Samba at matws.net
Fri Jan 22 03:36:11 MST 2010
On 21/01/2010 21:28, Brian Dickson wrote:
> Hi,
>
> I'm interested in deploying Samba4 in a non-critical (but very useful!) role, as an AD backup DC, for authentication purposes only.
>
> Specifically, the environment in which this is to be deployed is:
>
> (A) An AD PDC (and two BDCs) all running Windows Server 2003 SP2 (not, unfortunately, R2 :-) ).
>
> (B) Lots of users and groups, for some smallish value of "lots" (a few dozen).
>
> (C) Add to this, the desire to have Linux host(s) which will authenticate users via PAM with one of pam_winbind, pam_ldap, and/or pam_krb5, by way of Samba4.
>
> The need to have a Linux host do the mappings between UID/GID, and RID/SID (or whatever *ID exists), is why I think Samba4 as BDC (possibly read-only) would be ideal.
> Samba3 only supports queries against AD PDC with the "support for unix" stuff that came in R2, or against a stand-alone Linux Samba3 PDC.
>
That's if you use the idmaping and storing the UID/GID in the ldap.
> The mappings UID/GID would be one-way only, on one host, so the scope is very limited. No conflicts, no race conditions, no data sharing, just authentication (and creating home directories, natch.)
>
So in fact as I understand you want to have on linux host a UID/GID for
each Windows user and be able to authenticate them. Then a very simple
pam_winbind + winbind setup: check here
http://samba.org/samba/docs/man/Samba3-HOWTO/winbind.html and
http://samba.org/samba/docs/man/Samba3-HOWTO/idmapper.html
For your information in my shop with a s4 domain (but I do not have any
UID/GID in the LDAP) and we are using winbind on some linux host for
authentification it just works !
As I want to have a bit of uniformity in the UID of my users I decided
to use the rid backend for UID/GID allocation: with this backend the uid
are allocated from starting
idmap domains = FOO
idmap config FOO: default = yes
idmap config FOO: backend = rid
idmap config FOO: range = 10000-20000
# For big domain take care of the enumeration time ...
winbind enum groups = yes
winbind use default domain = yes
winbind enum users = yes
# It might not be needed anymore now ...
allow trusted domains = No
And for the authentification I just added:
account sufficient pam_winbind.so
auth sufficient pam_winbind.so
to the pam files.
> So, my questions are:
>
> (1) Will Samba4 in its current state, be able to handle this?
> (2) What compile/install/provision/configure steps/instructions are (or will be) required?
> (3) Can anyone point me at relevant bits and pieces that might need to be added or tweaked, to support this, if there's still work to be done? (I have incentive to do this, of course.)
> (4) Would anyone object to me adding this to the Wiki/howto, as I think this will be a common use-case?
No of course be our guest !
Matthieu
More information about the samba-technical
mailing list