[Samba] Winbind & user ID's on multiple servers
Michael_Auleta at condenast.com
Thu Mar 10 12:17:39 MST 2011
This addressed exactly what I was trying to accomplish. Rid mapping is
your friend for this.
From: Andrew Masterson [mailto:Andrew.Masterson at nuvistaenergy.com]
Sent: Thursday, March 10, 2011 1:54 PM
To: Javier Conti
Cc: samba at lists.samba.org; Auleta, Michael
Subject: RE: [Samba] Winbind & user ID's on multiple servers
> -----Original Message-----
> From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org]
> On Behalf Of Javier Conti
> Sent: Wednesday, March 09, 2011 4:28 PM
> To: TAKAHASHI Motonobu
> Cc: samba at lists.samba.org; Mike Auleta
> Subject: Re: [Samba] Winbind & user ID's on multiple servers
> On Mar 10, 2011 12:16 AM, "TAKAHASHI Motonobu" <monyo at monyo.com>
> > 2011/3/10 Javier Conti <javier.conti at gmail.com>:
> > > On 9 March 2011 20:13, Mike Auleta <michael_auleta at condenast.com>
> > >> We're looking at setting up Linux Authentication to our AD
> > >> winbind and need to know if there is a way to keep all the user
> > >> sync across the Linux servers. The way I see it now, the user ID
> > >> assigned numerically depending on the order users log in to a
> > >> Could make for issues if NFS mounted directories are involved.
> > >
> > > Hi, I'm using AD 2008 R2 as PDC, and have been successful using
> > > following configuration in /etc/samba/smb.conf on the client:
> > >
> > > [global]
> > (snip)
> > > idmap backend = ad
> > > idmap config MYDOMAIN : backend = ad
> > > idmap config MYDOMAIN : range = 10000 - 20000
> > > idmap config MYDOMAIN : schema_mode = rfc2307
> > > winbind nss info = rfc2307
> > >
> > > Since this configuration uses the Posix attributes found in the
> > > rfc2307 schema, I have the uidNumber attribute of users and the
> > > gidNumber attribute of groups populated with the IDs used in Unix
> > > in the range between 10000 and 20000).
> > "idmap backend" should be a "writeable" backend such as tdb or ldap.
> If someone manages user and groups on the AD, thus assigning
> gidNumbers on it, is it still necessary (or a real advantage) for the
> backend to be writeable?
> Just wondering... Javier
> > Anyway, to synclonize UID, you can also use "rid" or "ldap" instead
> > If you simply want to sync UIDs, "rid" is a better choice, I think.
> > For example:
> > idmap config DOMAIN:range = 1000000 - 1999999
> > idmap config DOMAIN:base_rid = 0
> > idmap config DOMAIN:backend = rid
> > Please refer to manpages in the detail.
This is why, if you have a single domain and no weird setup, RID mapping
is best. You get consistent mapping across all domain member servers
and it's easy to port stuff around. I messed around with the other
stuff and SFU, but RID is the easiest by far.
This e-mail, including attachments, is intended for the person(s)
or company named and may contain confidential and/or legally
privileged information. Unauthorized disclosure, copying or use of
this information may be unlawful and is prohibited. If you are not
the intended recipient, please delete this message and notify the
More information about the samba