[Samba] Samba AD PDC , LDAP and Single-Sign-On
Andrew Bartlett
abartlet at samba.org
Sat Oct 10 03:07:22 UTC 2015
On Fri, 2015-10-09 at 21:08 -0400, Mark Foley wrote:
> Thanks again for your quick reply ...
> Frankly, even after reading the
> https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html wiki, I
> don't
> really get the differentiation between 'idmap config *' and 'idmap
> config DOMAIN'
>
> Do I have to have something similar on the AD/DC? Right now, there
> are no idmap
> statements in that smb.conf.
>
> Thanks for your time (and patience), --Mark
For the pain that you are about to endure, I can only offer my
apologies. As Rowland and others on the list will quickly point out,
this is an area that is far from satisfactory. All the solutions are a
compromise of one kind or another, from the nature of compressing a 128
-bit (or more) SID value into a 32 bit UID or GID value.
Almost every new Samba team member starts with a desire to finally
implement the 'perfect' solution here, but the result of that desire
colliding with reality has ended up with a despairing 'let the admin
specify what they want'.
One way of doing that is to manually fill in the uidNumber and
gidNumber values, and then tell the client and server to use that.
Samba has trouble doing that in a race-free way, and so far declines to
be as helpful it could be.
Sorry,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list