[Samba] Some Clarification?

Andrew Bartlett abartlet at samba.org
Sat Apr 13 00:57:32 MDT 2013

On Fri, 2013-04-12 at 08:40 -0700, Stuart Sheldon wrote:
> Hi All,
> I've been playing with Samba 4.0.x in the lab for about a week or so,
> and have figured out a reasonable portion of the required settings to
> also use the AD server as a Unix server. I do have some additional
> questions regarding scaling that I have not found the answers to. I'm
> hoping you good folks can steer me in the right direction, or confirm my
> ideas of how this whole AD Controller thing works...
> I'm using winbind for Unix authentication via PAM, and have configured
> NSS to use winbind for passwd and group enumeration. Took me quite a
> while to figure out that users would need to auth into kerberos before
> winbind would return info to NSS. Someone might want to update the wiki
> on that... 

That doens't sound right.  The user information can be obtained, but it
certainly is faster and more effective when we have the PAC cached. 

> I do have some questions though regarding winbind and idmaps
> in 4.0.5:
> We currently deploy OpenLDAP as our core user management platform. This
> has allowed us to avoid the need for winbind and the whole 3.x issue of
> idmaps varying between our Linux systems. I've been trying to figure out
> if the whole idmap sync issue is solved in 4.0.x? Can I just use the
> default smb.conf generated settings for winbind and idmap and still have
> consistent mappings between different hosts? If not, how can I
> accomplish this in 4.0.x?

If you have an existing OpenLDAP system, and are using Samba 3.x, do you
have an existing Samba 3.x 'classic' domain?

If so, then the samba-tool domain classicupgrde command will import
those existing id mappings into our AD database, and set the smb.conf
option to use it. 

You can then configure Samba winbind clients to also use that rfc2307
configuration, using idmap_ad.  

You will need to set any uid/gid values you wish to be consistent across
your domain manually, as we do not have a distributed allocator for
those.  Any values not set in the directory will be set in idmap.ldb on
each DC, and may differ between DCs (and potentially clients). 

I hope this clarifies things for you, or gives you somewhere to sart
your research. 

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list