[Samba] New ADS infrastructure with winbind - Which is the best ID-mapping: IDMAP_RID or IDMAP LDAP with ADS + SFU schema ?

Doug VanLeuven roamdad at sonic.net
Fri May 13 17:04:07 GMT 2005

Steffen Kolbe wrote:

> interesting to talk with an insider..... ;-)

Nope.  I feel like an outsider :-)

> .... sorry, my english ist not the best... :-)
> 1. What is "nestet groups" ? Means it to work with groups in groups?

"winbind nested groups". Right.  Groups in groups.

> 2. What the enumeration makes?

Enumeration is a query for every user or group the AD knows about.

> 3. Do you have any ideas for linux notebooks? At the moment (in our 
> old environment) we use ADS+SFU with the NIS-feature. On every 
> notebook works a NIS Slave, so every Notebook user can also work 
> offline. But whats with a winbind notebook, when the ADS is not 
> available?
> found at the PADL-Homepage, that a software called  nss_updatedb and 
> pam_ccreds is the solution with the SFU-schema in offline situations 
> (caching).

Someone else will need to answer this.  We still use NIS at the native 
authentication level.  Or flat file accounts for non-network access.  I 
hate being dependent on one auth mechanism.  Fallbacks to fallbacks.

> 4. The solution with the SFU schema works fine in your environment or 
> do you have probs?

Works OK.  Use it both ways.  Windows serves NFS shares too, with simple 
name maps.

> How many users work with this?

Only 200.

> Do you had trouble with the installation or works this so easy like in 
> the HOWTO ? ;-)      And do you to hack for correct working (after 
> instalation)?

Using current Kerberos and LDAP versions was the only issue.  The work 
of Jeremy Allison on Kerberos and what others on the samba team have 
done to work with MS AD is simply fantastic.  I should say PFM.

> Thanks and regards
> Steffen
Good luck.  Doug

More information about the samba mailing list