[Samba] UID mapping
Jonathan Buzzard
jonathan at buzzard.me.uk
Wed Jun 15 08:29:33 MDT 2011
On Tue, 2011-06-14 at 23:41 +0000, Peter Shevchenko wrote:
[SNIP]
> I have been working on exactly this problem. I looked into the
> rfc2307scheme extensions and it looked like a lot of trouble. The samba
> HowTo has this to say about it.
>
> "The use of this method is messy. The information provided in the
> following is for guidance only and is very definitely not complete. This
> method does work; it is used in a number of large sites and has an
> acceptable level of performance." see
> samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
That is *not* the method I was suggesting to use. I was suggesting using
the idmap_ad backend and winbind directly. No ldap or similar in sight
excepting that AD is ldap.
This is the configuration that I use in smb.conf
# deal with NSS and the whole UID/SID id mapping stuff
idmap backend = tdb
idmap uid = 2000000 - 2999999
idmap gid = 2000000 - 2999999
idmap config LIFESCI-AD : backend = ad
idmap config LIFESCI-AD : schema_mode = rfc2307
idmap config LIFESCI-AD : readonly = yes
idmap config LIFESCI-AD : range = 500 - 1999999
idmap cache time = 120
idmap negative cache time = 20
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = false
With nsswitch.conf looking like
passwd: files winbind
shadow: files
group: files winbind
I would say the documentation on how to get his working is not great,
the biggest stumbling block being the need for the non overlapping range
for the plain tdb backend which is all required despite the fact it is
never used.
Yes you need to have winbind running at all times for it to work but it
does work.
JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
More information about the samba
mailing list