[Samba] Where to go next; Winbind/LDAP/ID mapping

[simon_gibbs]

Hi,

I've configured 2 RHEL4 boxes running samba-3.0.10-1.4E to
join our W2K AD domain and run as member servers. wbinfo
-u/-g and getent passwd/group work OK and resolve users
within the domain and I've created a test share with domain
permissions that we can copy to etc.
So now I've reached a bit of a crossroads. As I understand
it winbind maps the domain SID's to UID's/GID's on a random
basis, but as the 2 boxes will eventually form part of a
cluster I need to make sure that the ID mappingsare
identical on each box otherwise I'll have a hell of a job
when failing over.
Looking through the Samba How-To and By-Example
documentation to check current configuration it doesn't seem
to be clear (at least to me :) ) what the best/recommended
practice is in this situation. Can I use AD as the LDAP
backend? Should I use IDMAP_RID and replicate the .tdb files
between nodes - there are 30,000+ accounts in AD? Would I
even have to replicate the .tdb if it uses a predictable
mapping system? Or is confguring a second LDAP server to
store the mapped ID's my only option?
If anyone has any experience or knowledge I'd love to hear
from you.

Cheers.

Simon