[Samba] Winbind & user ID's on multiple servers
javier.conti at gmail.com
Wed Mar 9 16:27:55 MST 2011
On Mar 10, 2011 12:16 AM, "TAKAHASHI Motonobu" <monyo at monyo.com> wrote:
> 2011/3/10 Javier Conti <javier.conti at gmail.com>:
> > On 9 March 2011 20:13, Mike Auleta <michael_auleta at condenast.com> wrote:
> >> We're looking at setting up Linux Authentication to our AD servers
> >> winbind and need to know if there is a way to keep all the user IDs in
> >> sync across the Linux servers. The way I see it now, the user ID is
> >> assigned numerically depending on the order users log in to a server.
> >> Could make for issues if NFS mounted directories are involved.
> > Hi, I'm using AD 2008 R2 as PDC, and have been successful using the
> > following configuration in /etc/samba/smb.conf on the client:
> > [global]
> > idmap backend = ad
> > idmap config MYDOMAIN : backend = ad
> > idmap config MYDOMAIN : range = 10000 - 20000
> > idmap config MYDOMAIN : schema_mode = rfc2307
> > winbind nss info = rfc2307
> > Since this configuration uses the Posix attributes found in the
> > rfc2307 schema, I have the uidNumber attribute of users and the
> > gidNumber attribute of groups populated with the IDs used in Unix (and
> > in the range between 10000 and 20000).
> "idmap backend" should be a "writeable" backend such as tdb or ldap.
If someone manages user and groups on the AD, thus assigning uidNumbers and
gidNumbers on it, is it still necessary (or a real advantage) for the idmap
backend to be writeable?
Just wondering... Javier
> Anyway, to synclonize UID, you can also use "rid" or "ldap" instead of
> If you simply want to sync UIDs, "rid" is a better choice, I think.
> For example:
> idmap config DOMAIN:range = 1000000 - 1999999
> idmap config DOMAIN:base_rid = 0
> idmap config DOMAIN:backend = rid
> Please refer to manpages in the detail.
> TAKAHASHI Motonobu <monyo at monyo.com>
More information about the samba