[Samba] winbind + consistent uid & gid
gasch at eva.mpg.de
Wed May 31 20:00:29 GMT 2006
you're right! red hat did not add this feature in some versoins (not
sure if they did at all). we had the same trouble on RH EL3 - now we use
packages from sernet
Adams Samuel D Contr AFRL/HEDR wrote:
> It looks like this is what we want to do. We have more than one domain in
> our forest, but people should log in from only one domain to our Linux
> Boxes. So it should work still right?
> "Winbind/NSS uses RID based IDMAP:
> The IDMAP_RID facility is new to Samba version 3.0.8. It was added to
> make life easier for a number of sites that are committed to use of MS ADS,
> that do not apply an ADS schema extension, and that do not have an installed
> an LDAP directory server just for the purpose of maintaining an IDMAP table.
> If you have a single ADS domain (not a forest of domains, and not multiple
> domain trees) and you want a simple cookie-cutter solution to the IDMAP
> table problem, then IDMAP_RID is an obvious choice.
> This facility requires the allocation of the idmap uid and the idmap gid
> ranges, and within the idmap uid it is possible to allocate a subset of this
> range for automatic mapping of the relative identifier (RID) portion of the
> SID directly to the base of the UID plus the RID value. For example, if the
> idmap uid range is 1000-100000000 and the idmap backend =
> idmap_rid:DOMAIN_NAME=1000-50000000, and a SID is encountered that has the
> value S-1-5-21-34567898-12529001-32973135-1234, the resulting UID will be
> 1000 + 1234 = 2234."
> We are running samba 3.0.10 on our CentOS 4.2 boxes. I think we have the
> smb.conf file correct, but we are getting this message in our logs.
> May 30 15:01:22 Cent01 winbindd: [2006/05/30 15:01:22, 0]
> May 30 15:01:22 Cent01 winbindd: idmap_init: could not load remote
> backend 'idmap_rid'
> May 30 15:01:22 Cent01 winbind: winbindd startup succeeded
> According to the documentation on the samba.org website, this feature should
> be available since 3.0.8. My feeling is that Red Hat just didn't compile in
> the idmap_rid. Does the log seems to say that to you as well? If that is
> the case, is it possible to add that library as some kind of RPM without
> having to compile samba from source, or is there a RPM that will work on
> CentOS 4.2 that has idmap_rid? We are going to do this on over 100 boxes,
> and want the process to be a simple as possible.
> Sam Adams
> General Dynamics - Network Systems
> Phone: 210.536.5945
> -----Original Message-----
> From: samba-bounces+samuel.adams.ctr=brooks.af.mil at lists.samba.org
> [mailto:samba-bounces+samuel.adams.ctr=brooks.af.mil at lists.samba.org] On
> Behalf Of Michael Gasch
> Sent: Tuesday, May 30, 2006 1:27 AM
> To: Emmanuel Blindauer
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] winbind + consistent uid & gid
> > Putting "idmap backend = idmap_rid:DOMNAME=1000-1000000" in the
> > smb.conf file seemed promising, but it didn't work for me.
> that´s not the only thing you have to do
> please refer to the samba guide about how to setup idmap_rid correctly
> it´s working for me fine on several servers
> Emmanuel Blindauer wrote:
>>You'll have to use ldap for storing the mapping
>>idmap backend = ldap:ldap://your.ldap.server
>>and uses smbpasswd -w to store the pass to access the ldap server
>>Le Mercredi 24 Mai 2006 17:48, Adams Samuel D Contr AFRL/HEDR a écrit :
>>>I am trying to get out Linux boxes to authenticate against our AD
>>>domain. We have that part working just fine using Kerberos and winbind.
>>>The problem is when we use NFS on multiple machines. As you could
>>>guess, the UIDs and GIDs are not consistent across all of the machines.
>>>From what I have been reading on the internet, this seems to be common
>>>problem, but all the solutions that I have found don't seem to work for
>>>me. Putting "idmap backend = idmap_rid:DOMNAME=1000-1000000" in the
>>>smb.conf file seemed promising, but it didn't work for me. Do you have
>>>any recommendations to get this to work? It is kind of critical to have
>>>a distributed file system. It is not an option to modify out AD severs.
>>>General Dynamics - Network Systems
More information about the samba