[Samba] Re: Enabling 'idmap backend = ad' for user auth
eric roseme
eroseme at emonster.rose.hp.com
Fri Feb 3 18:31:18 GMT 2006
Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rex Dieter wrote:
>
>>Rex Dieter wrote:
>>
>>>McGlorfin wrote:
>>>
>>>
>>>>I'm using Samba 3.0.21a on Fedora Core 3 to authenticate against an
>>>>AD domain. The box running AD is Win2k3 R2, so AD has the RFC2207
>>>>schema extensions applied.
>>>
>>>
>>>Really? I thought installing SFU on the domain controller is/was
>>>still required, no? (What's R2?)
>>
>>Can someone please confirm/deny this? It's important to our site (as
>>the domain admins have been *very* reluctant to install SFU, but if only
>>a Win2k update is involved...)
>
>
> My understanding is that Windows 2003 does include the
> RFC2307 schema as part of AD. But I have not installed R2
> to confirm that.
>
I posted this last August:
http://marc.theaimsgroup.com/?l=samba&m=112388794720837&w=2
Just to summarize (someone asked what R2 is): R2 appears to be an
interim W2003 update to keep everyone happy while waiting for
Longhorn/Vista server. The big news for Samba is that R2 has the
RFC2307 attributes already included in the AD schema, so you do not have
to extend the schema with SFU. So you do not have to install SFU when
running R2 - that would be redundant. This is very important because
most enterprises are loath to touch their schema (for SFU extension), so
when R2 becomes common, they will not have to.
I have not tried loading our POSIX ID's onto R2, but I doubt it will
work with Samba as-is because the attribute names have changed from SFU.
SFU pre-fixed the RFC2307 attributes with msSFU-30 (thus not following
the RFC) but R2 actually uses the correct attribute names. Example:
CN=msSFU-30-Uid-Number is now CN=UidNumber
There is other stuff on R2, but this is what interested me.
It appears that R2 is now shipping on new hardware. Not sure about updates.
Eric Roseme
Hewlett-Packard
More information about the samba
mailing list