[Samba] Settings ACLS from Windows via member server

Mark Dieterich mkd at cs.brown.edu
Wed Feb 23 15:01:49 MST 2011 

John,

Thanks again for the feedback.

> On the other hand, some sites require the same uid/gid across domain
> controllers (PDC/BDC) and domain member servers (dms). Where this is
> required you CAN use NSS-LDAP to get globally consistent uid/gid values
> for each user and then use idmap_ldap to handle SID to uid/gid mappings.
> This configuration can get a little messy and my preference is to not
> have any domain member server but rather make them all domain
> controllers - that way all BDCs can share the exact same smb.conf
> configuration for simpler admin.

This is exactly the situation we are in.  The vast majority of our 
workstations are linux/unix based, thus uids/gids are really at the guts 
of our environment.  The majority of our users work in both 
environments, so it's critical to have everything match.

Someone else (tms3) asked off list whether there was any reason to even 
both with member servers.  While it is certainly the case in a "real" 
Windows environment, I couldn't come up with a reason why this 
shouldn't/couldn't be done with a pure samba environment.  I just tested 
and things "appear" to work just fine in a test setup.  It "seems" 
wrong, but there is no reason why it can't work just fine with samba.

> The domain member server should be configured so it can write to the
> LDAP directory so that it can assign (out of the idmap range provided in
> the smb.conf file) the idmap entries.  These should populate into the
> "idmap suffix" container.

Of course the problem with this is users could end up with multiple 
gids/uids if we allowed the member servers to assign uids/gids.  I now 
understand why member servers would need to assign uids/gids in a "real" 
Windows domain and it's likely we could seed LDAP properly so that we 
could use them as member servers, but for now I think I'll likely go 
with the massive number of DCs route.

Thanks everyone, I think I've put together a better understanding of 
some of the samba/NT domain internals... probably just enough to cause 
some real trouble ;)

Mark

More information about the samba mailing list