[Samba] Samba as member of multi domain AD (nss/pam)
NdK
ndk.clanbo at gmail.com
Fri May 25 06:34:57 MDT 2012
Il 25/05/2012 09:57, Marcel Ritter ha scritto:
> our setup looks much like yours:
> One domain "FAUAD" containing all our users, and several
> domains containing computer objects (and maybe "local" users).
>
> To prevent inconsistencies in user/group membership, we'd like
> to use nss/pam winbind on the unix side to get users/groups out
> of our AD.
Add winbind to /etc/nss.conf (passwd and group lines). Then use idmap
rid for the domains you're interested in (and tdb fot eventual others):
idmap backend = tdb
idmap uid = 10000-99999
idmap gid = 10000-99999
idmap config PERSONALE:backend = rid
idmap config PERSONALE:base_rid = 500
idmap config PERSONALE:range = 100000 - 49999999
idmap config STUDENTI:backend = rid
idmap config STUDENTI:base_rid = 500
idmap config STUDENTI:range = 50000000 - 99999999
Users and groups in PERSONALE and STUDENTI are consistent across all
servers, while other domains receive "first come first served" ids.
> However for most purposes it'd be nice to only get the short user
> names ("user" instead of "FAUAD+user") for all domains (or at
> least for a selectable domain). AFAIK the "default domain" is the
> one the computer object is created in (in our case this is *not* the
> one containing the user objects).
>
> I haven't found an option to specify this "default domain" without
> changing the domain location of the computer object.
Neither did I.
I tried really hard with:
idmap domains = PERSONALE STUDENTI
idmap config PERSONALE:default = no
idmap config STUDENTI:default = yes
To make 'STUDENTI' the default domain while the server is joined to
'PERSONALE', but it didn't work. Maybe someone have a clue.
> Any idea about how to solve this is welcome :-)
I'm in the dark like you :(
BYtE,
Diego.
More information about the samba
mailing list