[Samba] Anyone have Solaris 8/9, W2K AD, NIS working?

Fri Jul 30 14:25:07 GMT 2004

Paul Gienger wrote:

> It sounds like you need to pick a network directory service and go with 
> it, I'd suggest LDAP over NIS any day.  I have had a solaris (9 I think) 
> box running happily over LDAP and AD2000, although it was just for test.

Oh, I totally agree with you on choosing LDAP over NIS. The problem is that if I go LDAP, I'd prefer a non-proprietary solution, and that means OpenLDAP. There are known conflicts between Solaris's built-in LDAP libraries and OpenLDAP (but those can, in theory, be gotten around, although I've run into grief attempting to do so).

I inherited the NIS setup when I took this job, and because it's been working fine, I haven't bothered to change it. Chalk that up to other projects taking priority.

> 
>> I'm trying to get Solaris authentication to work using AD user 
>> accounts. According to The Official Samba 3 Howto and Reference Guide, 
>> this should be a simple thing. Well, it is, as long as you don't care 
>> that the UNIX userid to SID mapping isn't consistent across NIS 
>> clients, which really screws up file ownership.
> 
> 
> You need a central structure to hold your SID mappings if you're 
> traversing machines, AFAICT, the only network structure supported is LDAP.

In theory, AD is LDAP-compliant, although Microsoft's added a bunch of tweaks. So I was hoping to us AD as the LDAP repository. That many not work, though, and may be the cause of a lot of my problems.

When you got it to work, did you use a separate LDAP repository for SID mappings? Or did you manage to store them in AD?

> 
>> Well, it just isn't working. I've tried the instructions in there, 
>> which are laughably inadequate. They don't cover NIS or the SID-userid 
>> mapping problem properly. I've searched this mailing list for answers, 
>> and haven't found much. I simply cannot get Samba to store the userid 
>> mapping in the AD Idmap OU.
> 
> 
> Perhaps some expansion on your issues here would help:
> What kind of errors is samba spitting back
> What configurations have you done.

The reason I didn't supply them is that I've been playing with so many different configurations over the last few months that listing them all would be counterproductive. So I adopted a new strategy: find out if anyone got it working and what config they used.

> I'm curious, why the insistance on NIS?  Do you have other apps that 
> require it?  Are you having problems getting autofs on solaris to talk 
> to LDAP?  If so, a guy can short circuit it by making files from the 
> ldap structure, that's what I do.  Are you an old school sun guy from 
> way back that can't let go of it?  Give in to the dark side of the 
> DIT,... err... I mean use ldap, its better over here... or something, 
> you get my drift hopefully.

I agree. I wanted to use NIS because it's already installed and working. My thinking was that, if I could get Samba working with AD as the LDAP repository for SID mappings, I could eventually move my maps over to AD and get rid of NIS completely.

I'd prefer to have only one LDAP server running, and the architecture here already has AD. So I'd like to keep things simple and use AD as that repository if I can. I'm willing to build an OpenLDAP server if I have to, but that seems redundant to me.

I am an old school Sun guy (but System V, not BSD!), but I agree that NIS is obsolete, has a million security holes in it, and deserves to be given a decent burial. 