[Samba] Settings ACLS from Windows via member server
mkd at cs.brown.edu
Wed Feb 23 15:01:49 MST 2011
Thanks again for the feedback.
> On the other hand, some sites require the same uid/gid across domain
> controllers (PDC/BDC) and domain member servers (dms). Where this is
> required you CAN use NSS-LDAP to get globally consistent uid/gid values
> for each user and then use idmap_ldap to handle SID to uid/gid mappings.
> This configuration can get a little messy and my preference is to not
> have any domain member server but rather make them all domain
> controllers - that way all BDCs can share the exact same smb.conf
> configuration for simpler admin.
This is exactly the situation we are in. The vast majority of our
workstations are linux/unix based, thus uids/gids are really at the guts
of our environment. The majority of our users work in both
environments, so it's critical to have everything match.
Someone else (tms3) asked off list whether there was any reason to even
both with member servers. While it is certainly the case in a "real"
Windows environment, I couldn't come up with a reason why this
shouldn't/couldn't be done with a pure samba environment. I just tested
and things "appear" to work just fine in a test setup. It "seems"
wrong, but there is no reason why it can't work just fine with samba.
> The domain member server should be configured so it can write to the
> LDAP directory so that it can assign (out of the idmap range provided in
> the smb.conf file) the idmap entries. These should populate into the
> "idmap suffix" container.
Of course the problem with this is users could end up with multiple
gids/uids if we allowed the member servers to assign uids/gids. I now
understand why member servers would need to assign uids/gids in a "real"
Windows domain and it's likely we could seed LDAP properly so that we
could use them as member servers, but for now I think I'll likely go
with the massive number of DCs route.
Thanks everyone, I think I've put together a better understanding of
some of the samba/NT domain internals... probably just enough to cause
some real trouble ;)
More information about the samba