[Samba] Re: NT/ADS and UNIX user convergence using Samba

Aden, Steve saden at itscommunications.com
Wed Apr 7 13:02:35 GMT 2004

	I have also been struggling with Samba and ADS. I too have the
SID problem you mention. Is it possible for you to post the hack you did
to workaround this problem? I have searched and searched and your post
seems to be the first that confirms this problem, that I have reproduced
in my lab. There has been many posts that are probably related to this
problem, but nothing has been resolved.

Thank you,
Steve Aden

Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Opinions, conclusions and other information contained in this message that do not relate to official business shall be understood as neither given nor endorsed by ITS

-----Original Message-----
From: Edvard Fagerholm [mailto:efagerho at cc.hut.fi] 
Sent: Tuesday, April 06, 2004 12:54 PM
To: news.gmane.org
Cc: samba at lists.samba.org
Subject: [Samba] Re: NT/ADS and UNIX user convergence using Samba

On Tue, Apr 06, 2004 at 11:17:44AM -0400, news.gmane.org wrote:
> > Hi Steve,
> >
> > I think you have two options, use winbind and bin NIS or vice versa.
> > If you choose to use winbind as you identified you have to worry
> mappings being different on individual
> > Samba servers, the only way to get around this currently is to use
> your idmap backend. This stores
> > the UID to SID mappings centrally for multiple Samba servers to
> > If you choose to use NIS you will have to mess around with smbpasswd
> net groupmap to make users and
> > groups visiable as valid accounts for Samba. Also your NTLM
passwords will
> not be sync'd to the domain but
> > Kerberos auth will work seemlessly. AFAIK
> Thanks.  I did a little more poking around and it seems like I'm
> towards using winbind as my definitive authorization for this server
> removing NIS from the fileserver.  If I do this, I'll need to get LDAP
> and running to control the mapping of SID -> UID so my NT SIDs map to
my NIS
> UIDs for UNIX NFS clients that mount the volume(s).  I've seen several
> descriptions of how to get the Samba side up (basically use the "idmap
> backend" option in smb.conf), but I'm completely new to LDAP, and I
> found a simple description of how to set up an minimal LDAP server
> using OpenLDAP) on my linux box that would just contain the SID->UID
> mappings.
> Does anyone have a simple example configuration for OpenLDAP that they
> like to share?  You can post, or email me directly at:
looper_man at yahoo.com
> Thanks in advance,
> Steve


What you're trying to accomplish is exactly the same thing that I've
done on my
network. The solution that I'm using is to use AD4Unix. This modifies
the AD
LDAP-tree, so that you can add UID and GID entries for every user and
through a new tab that appears in user manager. The only problem is that
you've got a bunch of users, you need to manually allocate their UIDs
and to
every new user you add, you need to enable their "UNIX settings". So
installing it, you need to go through each and every user to enable
their UNIX
settings... However, it's only a few clicks per user...

On the samba server you simply use LDAP for passwd and group entries in
nsswitch and use the AD server as the LDAP. Then you need to configure
with "winbind trusted domains only = yes". However, this doesn't work
out of
the box on Samba 3.0.2a, because there seems to be a bug with returning
incorrect SIDs, but I made a quick hack to Samba to make it work. I've
using this configuration since Samba 3.0.0, but the earlier versions
required a
bit more tinkering as there wasn't such a thing as "winbind trusted

The good side with this configuration is that you don't need to have an
backend and every bit of configuration is simply done through the user
The bad side is that modifying the AD LDAP-tree prevents you from
updating the
operating system on the AD server. There's some patch from M$ to make
work, but you can't find it on their website; the only way to get it is
contact their customer support. I don't know why this is made so hard...

The other good thing is that you can add UNIX workstations to the
network and
let them authenticate through kerberos to the AD and share the files on
samba server to them through NFS. This way all user management both for
UNIX and windows workstations is done on the AD server. This makes it
easy to
integrate UNIX workstations to the windows network and you don't have to
install Samba on any of the UNIX workstations.

If you need more info you can e-mail me and I'll give you more detailed
information of how to make it work.

To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

This message was content-scanned by IXC Shield 
Powered by GatewayDefender - BH0904ffcd.00000001.mml

More information about the samba mailing list