[Samba] Samba4, multi-domain Forest and Unix ID mapping

Trever L. Adams trever.adams at gmail.com
Wed Jun 11 07:33:57 GMT 2008

Good day,

I wasn't sure whether this should go to the user list or the
samba-technical list. I chose here based on the descriptions of the list.

Forgive me if my understanding of the naming is inaccurate. It is my
understanding that Samba3 (and I believe 4, as well) has a very powerful
SID<->UID mapping mechanism which will auto create the UID in a range.
This is what I mean by Unix ID mapping.

I have read that this as of yet won't work in a forest, even if the
organization is only one organization. I am hoping this isn't true.

I am beginning to look at Samba4 for future implementations within
organizations I do work for. However, it appears I will need multiple
domain in one forest functionality. Is this implemented or at least planned?

If it is implemented/planned is it possible to do the automatic Unix ID
mapping per above? If it is all one domain, is it possible to do this if
all the domain controllers/active directory machines are Samba 4?
Basically, can each domain have its own UID mapping setup and they will
work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The
exact mechanism my questions may bring into mind may be bad.

Here is the situation, explained in the context of an extended family

Each family has its own domain (Windows and DNS), policies, etc. Each
has its own file servers, mail domains (DNS), etc. Each may share file
and printers with other families. This needs to work in Windows and Linux.

However, here is the killer, root access to Linux machines is not shared
across domains. Nor should Windows system/net/domain admin abilities.
However, guests from other families (within the extended family) need to
be able to view the shared files as well as login (without
administrative privileges) on computers in the other domains (think
visiting family).

To do this, auto SID<->UID maps are a must. Domains within the forest
will start at 6 at least and grow from there. (This is example isn't far
from the kinds of things businesses and families ask me to do.)

Is all of this possible, planned, or just out there?

Thank you,
Trever Adams

P.S. Please, reply directly as well as to the list as I am not on the
list and only keep up from time to time.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba/attachments/20080611/5d5f5285/signature.bin

More information about the samba mailing list