[Samba] Re: NT/ADS and UNIX user convergence using Samba

Edvard Fagerholm efagerho at cc.hut.fi
Tue Apr 6 16:54:14 GMT 2004

On Tue, Apr 06, 2004 at 11:17:44AM -0400, news.gmane.org wrote:
> > Hi Steve,
> >
> > I think you have two options, use winbind and bin NIS or vice versa.
> > If you choose to use winbind as you identified you have to worry about
> mappings being different on individual
> > Samba servers, the only way to get around this currently is to use LDAP as
> your idmap backend. This stores
> > the UID to SID mappings centrally for multiple Samba servers to share.
> > If you choose to use NIS you will have to mess around with smbpasswd and
> net groupmap to make users and
> > groups visiable as valid accounts for Samba. Also your NTLM passwords will
> not be sync'd to the domain but
> > Kerberos auth will work seemlessly. AFAIK
> Thanks.  I did a little more poking around and it seems like I'm leaning
> towards using winbind as my definitive authorization for this server and
> removing NIS from the fileserver.  If I do this, I'll need to get LDAP up
> and running to control the mapping of SID -> UID so my NT SIDs map to my NIS
> UIDs for UNIX NFS clients that mount the volume(s).  I've seen several
> descriptions of how to get the Samba side up (basically use the "idmap
> backend" option in smb.conf), but I'm completely new to LDAP, and I haven't
> found a simple description of how to set up an minimal LDAP server (probably
> using OpenLDAP) on my linux box that would just contain the SID->UID
> mappings.
> Does anyone have a simple example configuration for OpenLDAP that they would
> like to share?  You can post, or email me directly at:  looper_man at yahoo.com
> Thanks in advance,
> Steve


What you're trying to accomplish is exactly the same thing that I've done on my
network. The solution that I'm using is to use AD4Unix. This modifies the AD
LDAP-tree, so that you can add UID and GID entries for every user and group
through a new tab that appears in user manager. The only problem is that if
you've got a bunch of users, you need to manually allocate their UIDs and to
every new user you add, you need to enable their "UNIX settings". So after
installing it, you need to go through each and every user to enable their UNIX
settings... However, it's only a few clicks per user...

On the samba server you simply use LDAP for passwd and group entries in
nsswitch and use the AD server as the LDAP. Then you need to configure winbind
with "winbind trusted domains only = yes". However, this doesn't work out of
the box on Samba 3.0.2a, because there seems to be a bug with returning
incorrect SIDs, but I made a quick hack to Samba to make it work. I've been
using this configuration since Samba 3.0.0, but the earlier versions required a
bit more tinkering as there wasn't such a thing as "winbind trusted domains

The good side with this configuration is that you don't need to have an idmap
backend and every bit of configuration is simply done through the user manager.
The bad side is that modifying the AD LDAP-tree prevents you from updating the
operating system on the AD server. There's some patch from M$ to make updating
work, but you can't find it on their website; the only way to get it is to
contact their customer support. I don't know why this is made so hard...

The other good thing is that you can add UNIX workstations to the network and
let them authenticate through kerberos to the AD and share the files on the
samba server to them through NFS. This way all user management both for the
UNIX and windows workstations is done on the AD server. This makes it easy to
integrate UNIX workstations to the windows network and you don't have to
install Samba on any of the UNIX workstations.

If you need more info you can e-mail me and I'll give you more detailed
information of how to make it work.


More information about the samba mailing list