[Samba] Some Clarification?

Stuart Sheldon stu at actusa.net
Sat Apr 13 10:06:09 MDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Thanks for the response Andrew,

Using ad for my idmap sounds like what I'm looking for. I'm having
problems finding how I add the map ids to the AD manually for new users.
Could you direct me to some information regarding cli tools to do that?

Thanks Again,

Stu


On 04/12/2013 11:57 PM, Andrew Bartlett wrote:
> On Fri, 2013-04-12 at 08:40 -0700, Stuart Sheldon wrote:
>> Hi All,
>>
>> I've been playing with Samba 4.0.x in the lab for about a week or so,
>> and have figured out a reasonable portion of the required settings to
>> also use the AD server as a Unix server. I do have some additional
>> questions regarding scaling that I have not found the answers to. I'm
>> hoping you good folks can steer me in the right direction, or confirm my
>> ideas of how this whole AD Controller thing works...
>>
>> I'm using winbind for Unix authentication via PAM, and have configured
>> NSS to use winbind for passwd and group enumeration. Took me quite a
>> while to figure out that users would need to auth into kerberos before
>> winbind would return info to NSS. Someone might want to update the wiki
>> on that... 
> 
> That doens't sound right.  The user information can be obtained, but it
> certainly is faster and more effective when we have the PAC cached. 
> 
>> I do have some questions though regarding winbind and idmaps
>> in 4.0.5:
>>
>> We currently deploy OpenLDAP as our core user management platform. This
>> has allowed us to avoid the need for winbind and the whole 3.x issue of
>> idmaps varying between our Linux systems. I've been trying to figure out
>> if the whole idmap sync issue is solved in 4.0.x? Can I just use the
>> default smb.conf generated settings for winbind and idmap and still have
>> consistent mappings between different hosts? If not, how can I
>> accomplish this in 4.0.x?
> 
> If you have an existing OpenLDAP system, and are using Samba 3.x, do you
> have an existing Samba 3.x 'classic' domain?
> 
> If so, then the samba-tool domain classicupgrde command will import
> those existing id mappings into our AD database, and set the smb.conf
> option to use it. 
> 
> You can then configure Samba winbind clients to also use that rfc2307
> configuration, using idmap_ad.  
> 
> You will need to set any uid/gid values you wish to be consistent across
> your domain manually, as we do not have a distributed allocator for
> those.  Any values not set in the directory will be set in idmap.ldb on
> each DC, and may differ between DCs (and potentially clients). 
> 
> I hope this clarifies things for you, or gives you somewhere to sart
> your research. 
> 
> Andrew Bartlett
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRaYJtAAoJEFKVLITDJSGSvUYQAKa31VZ8geUwpaNRSyGKjz0a
BHWGh0FLs9+WGjBKxHeeRZ73riCDKgFEdy+P3jyfscJB0eHL96mJwLOi4/38DU4X
Ly/s8iH7k+AQJJ47xG5FKL2AzfowIjiiTGtLI6Tk5yXLIisJt/W3jNqPkQ9dRM6x
1iRBs93l6vwDZkROvoj7hFH46/J1Xkp6NrvtRILQo5mmZP9Su0gtV6MGGUNHnoYz
IUBsxkirq5BlvGFqZMr3NI2B4k885OO/sZHjHIlOw12k/XwFTL24TlkD1Klr7Z3w
sLGruw+4LSdRxaJcwkVNOsH9x2vdu9ZZNDuUvyuUJUqZeZMm/I9Yia5Yjwaqiw5P
l3mxWrsApsQxV8NLOH7eQ5E0tNl42lECTTTZYRcVTviLplJnogD4VMxuQwzHfFCN
jxF3gjv8kgFy09oCwewPI2o/1nH2nnebiIlnMI3oIdrju04fYCK+a5d3HW9fSFOm
hGgi1NBGI/jQTHGle1IQuknVJjRacA/mFF8aAL02xNH4ny+rZqbBrKt/7wKWQ8pd
r9TNGghK2qlpYwllzKnyhm0q11aJlR39xWCukRhSm6hA76I8OK8yoYlDz6mjDvsZ
mrSFc/15sGcL7h3ZJkUmEgEPqSMgs8ISxfSzSEeXVAfDFNH3LAFruPzmk8LxY+OC
b/G6TDC1j2DXGiJpfL+n
=cCyw
-----END PGP SIGNATURE-----

More information about the samba mailing list