[Samba] Re: samaba winwind

Michael St. Laurent mikes at hartwellcorp.com
Tue Sep 16 16:37:32 GMT 2008

> Chavez, James R. schrieb:
> > Michael, Andreas, and list,
> > Quick questions for clarity please. Using Winbind and having the uid
> gid consistent across all linux and Solaris servers is something I
> struggled with. So is it fair to say that without SFU, or extending
> with RFC2307, or using Windows 2003R2 and manually populating these
> Directory user objects with Unix attributes, you cannot manually
> which Unix uid is mapped to a Windows ID?
> You can use OpenLDAP for example instead of SFU or RFC2307
> But: Yes, this is at least my experience.
> There is a "net groupmap" command which will write to the tdb database
> backend, but didnt ever used this and dont know if this command is
> relevant in this context. I remember this command is (only) used when
> setup an Samba domain controller to map the builtin windows groups
> 512,513,514. Although there is no "net usermap" command.
> >
> > I ask this because in certain locations where I work we have
> Unix infrastructures based on NIS. Therefore all access to data is
> upon these NIS uid and gid permissions in these environments. The
> group has been pushing Linux out in these locations and in some cases,
> insisting they be joined to Active Directory, and authenticate local
> SSH logins with Winbind. My issue with this is that the existing
> that the staff accesses have permissions based on NIS permissions. So
> logging in with Active Directory credentials, these AD users are
> dynamically allocated a Unix uid by Winbind that has no longer has
> to established resources based on the NIS permissions.
> >
> > What I have done in certain areas is migrated all uid, gid, and host
> information from NIS into an OpenLDAP directory. Then use Kerberos (AD
> creds)to authenticate then map the Kerberos name to the 8 character
> name in LDAP using PADL's nss_ldap. I could just create the LDAP
> the same as the Kerberos names but wanted to keep with the 8 character
> scheme, I think AIX still has this limitation. This seems to work but
if I
> can use Winbind to statically map existing Unix uid to Windows ID's
> would be less work.
> >
> > Is there in fact a way to use Winbind and use the NIS uid and gid
> that already exists? From what I have read so far all Winbind uid
> generation is dynamic. Please correct me if I am wrong.
> We had the same constellation in our institute and we put all
> from NIS to Active Directory  "by hand", bit by bit. About 200 users.
> I dont know a way to you nis AND winbind at the same time, so the
> ActiveDirectory system will read information from NIS and put it
> together with the Windows AD information, without to migrate the
> uids/gids.
> I hope a samba developer could answer this question positive :-)

I'm not a Samba developer but in the latest releases of the 3.0.x tree
you can use the idmap backend of "nss" to get the old behavior of
mapping the Windows account name to the same account name in Unix.

More information about the samba mailing list