[Samba] New ADS infrastructure with winbind - Which is the best ID-mapping: IDMAP_RID or IDMAP LDAP with ADS + SFU schema ?

Doug VanLeuven roamdad at sonic.net
Fri May 13 10:25:06 GMT 2005


Steffen Kolbe wrote:

> Doug VanLeuven wrote:
>
>> Steffen Kolbe wrote:
>>
>>> A question for the best winbind SID-UID/GID mapping in our situation:
>>>
>>> I'm building a new infrastructure with Windows 2003SP1 ADS 
>>> Domaincontrollers and some Debian Servers (File: Samba+NFS; Mail; 
>>> Web; ....) and varios XP and Debian Clients.
>>>
>>> After reading Chapter 12. (Identity Mapping) in the Samba-HOWTO is 
>>> IDMAP_RID in couple with winbind an easy way to solve the problem 
>>> with syncr. SID-UID/GID's on all Linux machines.
>>> Why should I use the "hard way" with the MS SFU 3.5 Schema 
>>> extensions, PADL and so on - when IDMAP_RID seems to be so easy?
>>>
>>> Can anybody tell me something about the "deeper backgrounds" and 
>>> which of both ist the best solution for us?
>>
>>
>>
>> If you have an existing base of unix uid/gid accounts to maintain, 
>> consider the mapping capabilities of SFU 3.5 and padl idmap_ad.
>> If there is no existing base of unix uid/gid accounts, consider 
>> IDMAP_RID.
>>
>> Regards, Doug
>>
> Hello Doug,
>
> thanks for your quick answer.
> 1. When I understand the IDMAP_RID solution, local SID-UID/UID 
> mapping  is on every machine the same. After a crash can I copy the 
> mapping table between all linux machines or are their some differences?
> 2. Do you now something about the speed with IDMAP_RID?  Now we have 
> round about 500 users in 4 year we have ~3000.
> 3. In Windows Invironments it's normal to work with groups in groups - 
> Linux (by natural) don't now them. Understand Samba/Winbind this 
> mapping from ADS or should I do only users in groups?
>
> Thanks and best regards from germany.
> Steffen

Hi Steffen,
I had an existing base of users so I had to implement the MS SFU style 
SID to uid/gid mapping, so I have no direct experience with IDMAP_RID.
But as I understand it:
1. You could take an initial linux installation and providing smb.conf 
and the add user/group scripts are identical, one doesn't need to copy 
any mapping tables.  The map is in smb.conf.  Everything else would be 
created on the fly on first use.
2. As far as speed, we all wait on the domain controller for the initial 
SID.  With IDMAP_RID, once the SID is available, the mapping is local, 
so I can't imagine anything being faster.  The padl solution requires 
another query of the domain controller.  The samba-HOWTO makes a valid 
point about enumeration with large numbers of AD users - turn off 
enumeration
3. The samba-HOWTO lists "winbind nested groups = yes" so it must be 
true.  I haven't had a need to nest groups yet.

My only personal change to the samba-HOWTO is that, for nsswitch.conf 
configuration, I prefer compat instead of files for authentication and I 
think dns should be included in the hosts list.  It can be argued that a 
correctly configured AD domain gets everything from DNS and that winbind 
name lookups aren't necessary, and that if they are, something is wrong 
with the DNS.

passwd:     compat winbind
shadow:     compat winbind
group:     compat winbind
hosts:      files dns winbind

Regards, Doug



More information about the samba mailing list