[Samba] Using samba4 with AD and rfc2307 - what are the *current* practices?
steve
steve at steve-ss.com
Thu Dec 12 11:42:18 MST 2013
On Thu, 2013-12-12 at 10:29 -0500, Michael Brown wrote:
> On 13-12-12 03:15 AM, L.P.H. van Belle wrote:
> > and remember sssd is NOT compatibele with sernet samba.
> >
> > Just a reminder..
> >
> Can someone suggest a better place then to get up-to-date packages for
> various distros?
I've never really understood what sernet does. It seems to add
complexity over and above what really is a very simple installation from
source. So, to answer your question, the best place and way to install
samba4 is from source. Tat way you get just Samba4 and it just works. No
one has pissed around with it to try and make it distro compatible. It's
too new and under too rapid development to get stable enough for the
distros in my opinion. There is a model of an installation howto at
http://wiki.samba.org/index.php/Samba4/HOWTO
>
> On 13-12-12 03:12 AM, steve wrote:
> >
> > winbind doesn't work on the DC. To do what you wish to do, add:
> > uidNumber: 1234567
> > to the DN of Administrator and use sssd or nslcd to extract the
> > information _directly_ from AD. Same on your remote client.
> >
> > There are Samba4 howtos for sssd and nslcd.
>
> After thinking about it, it doesn't seem that going via sssd will solve
> any of the problems I've listed.
>
> I'll still need to setup id mapping so that incoming connections (SMB,
> etc) get mapped to the correct user. So I'll still need all the id
> mapping stuff.
That is what sssd is best at. Store your uid and gid attributes in AD
and it then HAS to be the correct id mapping as it's the ONLY source of
uid and gid information. Separate the id mapping in a winbind cache or a
separate rid database and you are asking for trouble.
>
> Or is Samba smart enough to recognize that 'michael' or 'MAIN+michael'
> is the same as the system user 'michael' and just use the system user's
> uid/gid/etc?
>
With sssd running the show then michael is always the same domain user.
He is the same person on a Linux client and on a windows client. He has
the same username for both systems. There's none of the MAIN+ or MAIN\
nonsense, unless he's also a local user on a windows box.
> What about the case where I don't have 'use default domain' turned on
> and have multiple domains?
>
Get it working on one domain. Worry about that later.
> M.
>
HTH
Steve
More information about the samba
mailing list