[Samba] RE : How to keep idmapping, when Samba servers becomes part of a Windows AD from a larger organisation.
Hubert, Laurent
Laurent.Hubert at USherbrooke.ca
Tue Nov 26 13:49:26 MST 2013
Thanks Denis,
I have to meditate on your solution.
And, yes that's right I really have to plan how to join all servers and workstation to the new domain.
By "bying time" you tell me that you understand that the main goal to maintain the id is to do
the intregation one by one "users and workstation" in the AD. I hope doing this without disturbing operation et cooperations while maintening
smb services, thanks to nfs under samba, simultaneously for old and the new domain users and groups.
Actuals elements are:
1- It really seems that there is no domain uid/gid in the AD, As far as I know, there is no extensive use of Linux/Unix elsewhere
it the AD, (except for local accounts). So I don't have to bother for this.
2- I can collected the new SIDs from test server configured with "rid"
3- I have the right to join some computers into the AD, I don't think i can write uid/gid in the AD. Windows people here do not seems to know about
SFU or rfc2307. This is why i want to keep UID/GID by myself, (through ldap?) across all my workstations and servers.
I know that SFU was designed for writing UID/GID in AD. I just discover rfc2307, is it suppose to write stuff in the AD?
4- It seems from the samba 4.x docs
https://cwiki.apache.org/confluence/display/DIRxINTEROP/Configuring+LDAP-backed+Winbind+IDMAP
I "just" have to populate a new ldap with line as
objectClass: sambaIdmapEntry
sambaSidEntry
sambaSID: S-1-5-21-1957994488-2146356355-682003330-1427
uidNumber: 16777216
But it says nothings about the ou=, uid=, or other dn: line that should be at the head of that kind of entry.
That's it
Laurent
Laurent
--
Laurent Hubert, PhD
Professionnel de recherche
Administration de systèmes Linux, déploiement de solutions Open Source
Centre d'imagerie moléculaire de Sherbrooke
Centre hospitalier universitaire de Sherbrooke
819 346 1110 x 11836
pagette: 6475
http://www.cims.med.usherbrooke.ca
________________________________________
De : Denis Cardon [denis.cardon at tranquil-it-systems.fr]
Envoyé : 26 novembre 2013 13:55
À : Hubert, Laurent
Cc : samba at lists.samba.org
Objet : Re: [Samba] How to keep idmapping, when Samba servers becomes part of a Windows AD from a larger organisation.
Hi Laurent,
>
> Since 2006, I used in my departement a Samba solutions based on NT4 style PDC, 2 BDCs and some files servers, desserving one hunderd persons. The backends for passwords and idd are a master and two slave openldap. Now i have to integrate a much larger organisation, an University Hospital, running with Windows AD. For political reasons, I should not maintain DCs anymore, but I will still maintain Windows stations, Linux stations and Linux servers. One point then is to see if there is a way to keep the idmapping of users and groups I already have, in order to reduced interventions on file servers and stations to a minimum while migrating. For now, I dont know how to do it. (Note : new users and groups may have any Linux « id » we want)
>
> One point here is that I succeeded to test the integration of a samba member into the AD with samba 4.x, winbind and idmap config DOMAIN : backend = rid. Now I want to go further and look for a solution for this problem of keeping idmaps of current users. Is it possible to have a coherent configuration together for /etc/ldap.conf, /etc/nsswitch.conf and /etc/samba/smb.conf for this solution?
With rfc2307/SFU you should be able to do what you plan, provided that
openldap uid/gid number are not yet used in the target ActiveDirectory.
Using python-ldap and python-win32com, it should be quite easy to read
the data in the old ldap and recreate the uidnumber and gidnumber
attribute in the ActiveDirectory after creating the user. Actually I
have already done the revert, ie populate uid/gid from RID in a Samba4
directory after a migration from MSAD.
Once you have your uidnumber/gidnumber attributes set, then you just
have to enable rfc2307 in your winbind or sssd and it should be fine,
user uid and gid should map to the old value with nsswitch.
However I guess in this case that you'll have to recreate a new password
for all the users and rejoin all the computer to the domain...
If you want to ease the transition, I think you could go the following
path: upgrade the samba3 PDC domain to samba4, join a MSAD to the
samba4, demote the samba4 and make an interdomain trust between the two
MSAD domains, then you'll buy some time to rejoin the computer to the
new domain and migrate user accounts.
Hope this helps.
Denis
PS : it seems like you are fluent in French. I have a few tutorials in
Frog tongue at the following address to help in doing a migration :
http://dev.tranquil.it/index.php/Samba4
>
>
>
> Thanks to help
> and warm thanks for Samba
> Laurent
>
> --
> Laurent Hubert, PhD
> Professionnel de recherche
> Administration de systèmes Linux, déploiement de solutions Open Source
> Centre d'imagerie moléculaire de Sherbrooke
> Centre hospitalier universitaire de Sherbrooke
> 819 346 1110 x 11836
> pagette: 6475
> http://www.cims.med.usherbrooke.ca
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list