[Samba] Winbind & user ID's on multiple servers

Andrew Masterson Andrew.Masterson at nuvistaenergy.com
Thu Mar 10 11:53:32 MST 2011


> -----Original Message-----
> From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org]
> On Behalf Of Javier Conti
> Sent: Wednesday, March 09, 2011 4:28 PM
> To: TAKAHASHI Motonobu
> Cc: samba at lists.samba.org; Mike Auleta
> Subject: Re: [Samba] Winbind & user ID's on multiple servers
> 
> On Mar 10, 2011 12:16 AM, "TAKAHASHI Motonobu" <monyo at monyo.com>
wrote:
> >
> > 2011/3/10 Javier Conti <javier.conti at gmail.com>:
> > > On 9 March 2011 20:13, Mike Auleta <michael_auleta at condenast.com>
wrote:
> > >> We're looking at setting up Linux Authentication to our AD
servers
> using
> > >> winbind and need to know if there is a way to keep all the user
IDs in
> > >> sync across the Linux servers.  The way I see it now, the user ID
is
> > >> assigned numerically depending on the order users log in to a
server.
> > >> Could make for issues if NFS mounted directories are involved.
> > >
> > > Hi, I'm using AD 2008 R2 as PDC, and have been successful using
the
> > > following configuration in /etc/samba/smb.conf on the client:
> > >
> > > [global]
> > (snip)
> > >        idmap backend = ad
> > >        idmap config MYDOMAIN : backend = ad
> > >        idmap config MYDOMAIN : range = 10000 - 20000
> > >        idmap config MYDOMAIN : schema_mode = rfc2307
> > >        winbind nss info = rfc2307
> > >
> > > Since this configuration uses the Posix attributes found in the
> > > rfc2307 schema, I have the uidNumber attribute of users and the
> > > gidNumber attribute of groups populated with the IDs used in Unix
(and
> > > in the range between 10000 and 20000).
> >
> > "idmap backend" should be a "writeable" backend such as tdb or ldap.
> 
> If someone manages user and groups on the AD, thus assigning
uidNumbers and
> gidNumbers on it, is it still necessary (or a real advantage) for the
idmap
> backend to be writeable?
> 
> Just wondering... Javier
> 
> >
> > Anyway, to synclonize UID, you can also use "rid" or "ldap" instead
of
> "ad".
> > If you simply want to sync UIDs, "rid" is a better choice, I think.
> > For example:
> >
> > idmap config DOMAIN:range = 1000000 - 1999999
> > idmap config DOMAIN:base_rid = 0
> > idmap config DOMAIN:backend = rid
> >
> > Please refer to manpages in the detail.
> >


This is why, if you have a single domain and no weird setup, RID mapping
is best.  You get consistent mapping across all domain member servers
and it's easy to port stuff around.  I messed around with the other
stuff and SFU, but RID is the easiest by far.

-=Andrew


More information about the samba mailing list