[Samba] Winbind & user ID's on multiple servers

Auleta, Michael Michael_Auleta at condenast.com
Thu Mar 10 12:17:39 MST 2011 

This addressed exactly what I was trying to accomplish.  Rid mapping is
your friend for this.

-----Original Message-----
From: Andrew Masterson [mailto:Andrew.Masterson at nuvistaenergy.com] 
Sent: Thursday, March 10, 2011 1:54 PM
To: Javier Conti
Cc: samba at lists.samba.org; Auleta, Michael
Subject: RE: [Samba] Winbind & user ID's on multiple servers

> -----Original Message-----
> From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org]
> On Behalf Of Javier Conti
> Sent: Wednesday, March 09, 2011 4:28 PM
> To: TAKAHASHI Motonobu
> Cc: samba at lists.samba.org; Mike Auleta
> Subject: Re: [Samba] Winbind & user ID's on multiple servers
> 
> On Mar 10, 2011 12:16 AM, "TAKAHASHI Motonobu" <monyo at monyo.com>
wrote:
> >
> > 2011/3/10 Javier Conti <javier.conti at gmail.com>:
> > > On 9 March 2011 20:13, Mike Auleta <michael_auleta at condenast.com>
wrote:
> > >> We're looking at setting up Linux Authentication to our AD
servers
> using
> > >> winbind and need to know if there is a way to keep all the user
IDs in
> > >> sync across the Linux servers.  The way I see it now, the user ID
is
> > >> assigned numerically depending on the order users log in to a
server.
> > >> Could make for issues if NFS mounted directories are involved.
> > >
> > > Hi, I'm using AD 2008 R2 as PDC, and have been successful using
the
> > > following configuration in /etc/samba/smb.conf on the client:
> > >
> > > [global]
> > (snip)
> > >        idmap backend = ad
> > >        idmap config MYDOMAIN : backend = ad
> > >        idmap config MYDOMAIN : range = 10000 - 20000
> > >        idmap config MYDOMAIN : schema_mode = rfc2307
> > >        winbind nss info = rfc2307
> > >
> > > Since this configuration uses the Posix attributes found in the
> > > rfc2307 schema, I have the uidNumber attribute of users and the
> > > gidNumber attribute of groups populated with the IDs used in Unix
(and
> > > in the range between 10000 and 20000).
> >
> > "idmap backend" should be a "writeable" backend such as tdb or ldap.
> 
> If someone manages user and groups on the AD, thus assigning
uidNumbers and
> gidNumbers on it, is it still necessary (or a real advantage) for the
idmap
> backend to be writeable?
> 
> Just wondering... Javier
> 
> >
> > Anyway, to synclonize UID, you can also use "rid" or "ldap" instead
of
> "ad".
> > If you simply want to sync UIDs, "rid" is a better choice, I think.
> > For example:
> >
> > idmap config DOMAIN:range = 1000000 - 1999999
> > idmap config DOMAIN:base_rid = 0
> > idmap config DOMAIN:backend = rid
> >
> > Please refer to manpages in the detail.
> >


This is why, if you have a single domain and no weird setup, RID mapping
is best.  You get consistent mapping across all domain member servers
and it's easy to port stuff around.  I messed around with the other
stuff and SFU, but RID is the easiest by far.

-=Andrew
------------------------------------------------------------------------------------------------
This e-mail, including attachments, is intended for the person(s)
or company named and may contain confidential and/or legally
privileged information. Unauthorized disclosure, copying or use of
this information may be unlawful and is prohibited. If you are not
the intended recipient, please delete this message and notify the
sender.

More information about the samba mailing list