[Samba] ADS Domain Member smb.conf using idmap_ad
TAKAHASHI Motonobu
monyo at monyo.com
Wed Nov 23 06:44:41 MST 2011
Firstly, I recommend that you configure both Active Directory and
Samba to configure Winbind in your lab.
From: Freeman <flo at email.unc.edu>
Date: Wed, 23 Nov 2011 08:17:55 -0500
> > Have you already set values into "UNIX attributes" for every user you
> > want to "activate" under Winbind.
> I believed on the windows side, the windows admin had already mapped the
> unix user uid/gid to the windows domain via some windows/unix converter
> tool.
You need to confirm what was done, I think.
> idmap config AD : default = yes
> idmap config AD : cache time = 180
> idmap config AD : backend = ad
> # idmap config AD : range = 100001-200000
> idmap config AD : schema_mode = rfc2307
Of cource, uid/gids are set between 100001-200000 on Active Directory?
If you set "idmap config AD : range = 100001-200000", all uid/gids
except 100001-200000 cannot be mapped. Also remember an user whose
primary group cannot be mapped is failed to map.
> idmap config AD : schema_mode = rfc2307
> I am running samba version: Version 3.5.11-79. fc14. Trying to join
> linux servers to the windows 2003 domain by running winbind and smb. I
Your AD's DCs are Windows Server 2003 or Windows Server 2003 R2?
If Windows Server 2003, you use sfu instead of rfc2307. See
http://support.microsoft.com/kb/921599/en-us
> I thought the uid/gid mapping to the sid is all done by either
> winbind or samba, if smb.conf is configured properly.
Again I have to say that uid/gid does not have nothing to do with
SID/RID.
Setting "idmap backend = ad" only enables that uid/gid/shell and
homedir values are retrieved from those set in "UNIX attributes",
which does not mean to map to SID.
> The goal is pretty simple, we would like to have all of the linux
> machines joining the campus windows AD domain as a member. Instead of
> using the NIS account with all of the linux machine, we would like to
> log onto the linux servers with the domain account from the window side
> and to mount a windows share upon a user log in.
If you keep current uid/gids maintained by NIS, you should use
idmap_ad(8). If not, idmap_rid(8) is easy to configure.
---
TAKAHASHI Motonobu <monyo at samba.gr.jp>
More information about the samba
mailing list