[Samba] Making Linux and domain users the same

Phil org-samba at freed.com
Wed Mar 6 02:49:36 MST 2013

Thanks once again, Tris.  As you see from the previous message, it turns out that there was a simple method to get what I needed.  But I still appreciate your help, and the time you took to describe a complex solution in careful detail.

----- Original Message -----
From: "Tris Mabbs" <TM-Samba201302 at Firstgrade.Co.UK>
To: "Phil Freed" <url at freed.com>
Sent: Saturday, March 2, 2013 6:22:35 PM GMT -05:00 US/Canada Eastern
Subject: RE: [Samba] Making Linux and domain users the same

Hiya Phil,

Glad the message may have been of some interest or use :-)

"If you mean we need a separate LDAP server, I can set that up" - no, no need for that, your PDC will quite happily be doing that for you already and that should be sufficient.
The only issue you *might* have with using it is if you do have to disable VLVs within LDAP (and you may not - depends largely on your Linux LDAP client if I remember rightly), you may have problems if you're also running "Exchange 2010" - "Exchange" tends to require VLVs enabled for looking up address books and the like.  If you're not running "Exchange", it won't be a problem even if you do have to disable VLVs.

Best thing is follow the Linux doc.s to setup LDAP (if it isn't already, and from the sound of things it may be in your inherited setup!); if you hit problems, search the M$ KBs for disabling VLV (I think M$ call it "Virtual List View").  It's something like run "adsiedit.msc", expand "Configuration[DomainController]", expand "CN=Configuration,DC=DomainName", expand "CN=Services", expand "CNWindows NT"; right-click "CN=Directory Service" and pick "Properties, in "Attributes", click "msds-Other-Settings" and pick "Edit"; scroll through the values until you find any "DisableVLVSupport=x" (where 'x'=0) and change 'x' to 1; if there is no "DisableVLVSupport=" entry, create one and set it to 1.  Or something like that; you may not even need to do it.

It's all actually somewhat less complicated than it sounds ...  If you can get the LDAP client configuration correct, and figure out what you actually need from the example I posted, it should all just snap into place and start working.
Then you'll sit back, scratch your head and think "Well, if it was that easy, why couldn't I get it working before?" :-)
Been there, done that - took be bloomin' ages to get a configuration that worked properly in our setup but now I have it all looks so simple!

"... abandon this and write a setfacl script to allow both users to access files in the home directories ..." - ah, yes - word of warning about that ...  The IDMAP mappings are (potentially) transitory, so you may find that suddenly people can't access things again ...  By then, of course, you'll have forgotten how and why you did it (if you're anything like me) and it'll be even more frustrating ...

It really does all work very well, when you have it working - until then, it's a right b!tch ...

Still, I'm sure you'll get there :-)

Good luck!


More information about the samba mailing list