[Samba] Making Linux and domain users the same

[Phil]

Hmm.  On second reading, I see you have me loading Identity Services for Unix on the PDCs.  Not a big deal, but the PDCs are another admin's, ummm, domain.  I don't want to touch them without without checking in first.  So this will have to wait till Monday, at least.

----- Original Message -----
From: "Phil Freed" <url at freed.com>
To: "Tris Mabbs" <TM-Samba201302 at Firstgrade.Co.UK>
Sent: Saturday, March 2, 2013 7:06:29 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Samba] Making Linux and domain users the same

Thanks again, Tris.

Your notes seem most thorough.  I especially like the fact that you started with a simple test so I would know when things were working; neat!  Based on this, I'm about to embark on a two-hour tour -- one hour less than the ill-fated S.S. Minnow, so maybe I'll be OK.  

As for the setfacl script:  my plan was to set it up in cron on each of the key systems.  That way if they added a user and forgot about permissions, it would automagically fix things.  I hadn't thought about the IDMAP changing, but the script can take care of that as well.

But ouch!  This is sloppy, sloppy, sloppy; a most unsatisfactory way of doing business.  If it were not for the time limitations, I would never consider it beyond a temporary band-aid.

Thanks, and wish me luck.

----- Original Message -----
From: "Tris Mabbs" <TM-Samba201302 at Firstgrade.Co.UK>
To: "Phil Freed" <url at freed.com>
Sent: Saturday, March 2, 2013 6:22:35 PM GMT -05:00 US/Canada Eastern
Subject: RE: [Samba] Making Linux and domain users the same

Hiya Phil,

Glad the message may have been of some interest or use :-)

"If you mean we need a separate LDAP server, I can set that up" - no, no need for that, your PDC will quite happily be doing that for you already and that should be sufficient.
The only issue you *might* have with using it is if you do have to disable VLVs within LDAP (and you may not - depends largely on your Linux LDAP client if I remember rightly), you may have problems if you're also running "Exchange 2010" - "Exchange" tends to require VLVs enabled for looking up address books and the like.  If you're not running "Exchange", it won't be a problem even if you do have to disable VLVs.

Best thing is follow the Linux doc.s to setup LDAP (if it isn't already, and from the sound of things it may be in your inherited setup!); if you hit problems, search the M$ KBs for disabling VLV (I think M$ call it "Virtual List View").  It's something like run "adsiedit.msc", expand "Configuration[DomainController]", expand "CN=Configuration,DC=DomainName", expand "CN=Services", expand "CNWindows NT"; right-click "CN=Directory Service" and pick "Properties, in "Attributes", click "msds-Other-Settings" and pick "Edit"; scroll through the values until you find any "DisableVLVSupport=x" (where 'x'=0) and change 'x' to 1; if there is no "DisableVLVSupport=" entry, create one and set it to 1.  Or something like that; you may not even need to do it.

It's all actually somewhat less complicated than it sounds ...  If you can get the LDAP client configuration correct, and figure out what you actually need from the example I posted, it should all just snap into place and start working.
Then you'll sit back, scratch your head and think "Well, if it was that easy, why couldn't I get it working before?" :-)
Been there, done that - took be bloomin' ages to get a configuration that worked properly in our setup but now I have it all looks so simple!

"... abandon this and write a setfacl script to allow both users to access files in the home directories ..." - ah, yes - word of warning about that ...  The IDMAP mappings are (potentially) transitory, so you may find that suddenly people can't access things again ...  By then, of course, you'll have forgotten how and why you did it (if you're anything like me) and it'll be even more frustrating ...

It really does all work very well, when you have it working - until then, it's a right b!tch ...

Still, I'm sure you'll get there :-)

Good luck!

Tris.