[Samba] Re: samaba winwind
Michael St. Laurent
mikes at hartwellcorp.com
Tue Sep 16 16:37:32 GMT 2008
> Chavez, James R. schrieb:
> > Michael, Andreas, and list,
> > Quick questions for clarity please. Using Winbind and having the uid
and
> gid consistent across all linux and Solaris servers is something I
have
> struggled with. So is it fair to say that without SFU, or extending
schema
> with RFC2307, or using Windows 2003R2 and manually populating these
Active
> Directory user objects with Unix attributes, you cannot manually
specify
> which Unix uid is mapped to a Windows ID?
>
> You can use OpenLDAP for example instead of SFU or RFC2307
extension:-)
>
> But: Yes, this is at least my experience.
>
> There is a "net groupmap" command which will write to the tdb database
> backend, but didnt ever used this and dont know if this command is
> relevant in this context. I remember this command is (only) used when
> setup an Samba domain controller to map the builtin windows groups
> 512,513,514. Although there is no "net usermap" command.
>
> >
> > I ask this because in certain locations where I work we have
existing
> Unix infrastructures based on NIS. Therefore all access to data is
based
> upon these NIS uid and gid permissions in these environments. The
Windows
> group has been pushing Linux out in these locations and in some cases,
> insisting they be joined to Active Directory, and authenticate local
and
> SSH logins with Winbind. My issue with this is that the existing
resources
> that the staff accesses have permissions based on NIS permissions. So
when
> logging in with Active Directory credentials, these AD users are
> dynamically allocated a Unix uid by Winbind that has no longer has
access
> to established resources based on the NIS permissions.
> >
> > What I have done in certain areas is migrated all uid, gid, and host
> information from NIS into an OpenLDAP directory. Then use Kerberos (AD
> creds)to authenticate then map the Kerberos name to the 8 character
Unix
> name in LDAP using PADL's nss_ldap. I could just create the LDAP
usernames
> the same as the Kerberos names but wanted to keep with the 8 character
> scheme, I think AIX still has this limitation. This seems to work but
if I
> can use Winbind to statically map existing Unix uid to Windows ID's
that
> would be less work.
> >
> > Is there in fact a way to use Winbind and use the NIS uid and gid
info
> that already exists? From what I have read so far all Winbind uid
> generation is dynamic. Please correct me if I am wrong.
>
> We had the same constellation in our institute and we put all
uids/gids
> from NIS to Active Directory "by hand", bit by bit. About 200 users.
>
> I dont know a way to you nis AND winbind at the same time, so the
> ActiveDirectory system will read information from NIS and put it
> together with the Windows AD information, without to migrate the
> uids/gids.
>
> I hope a samba developer could answer this question positive :-)
I'm not a Samba developer but in the latest releases of the 3.0.x tree
you can use the idmap backend of "nss" to get the old behavior of
mapping the Windows account name to the same account name in Unix.
More information about the samba
mailing list