[Samba] Man page for idmap_rid

Rowland Penny rpenny at samba.org
Wed Aug 10 15:17:57 UTC 2016


On Wed, 10 Aug 2016 11:36:45 -0300
francis picabia via samba <samba at lists.samba.org> wrote:

> On Wed, Aug 10, 2016 at 11:04 AM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On Wed, 10 Aug 2016 10:42:11 -0300
> > francis picabia via samba <samba at lists.samba.org> wrote:
> >
> > >
> > > On a few dozen systems running Linux and Solaris and in
> > > production, MYDOM\username = username  as far as we are
> > > concerned.  It isn't unique to Samba.  Many applications have a
> > > local user which maps to the AD user and make the assumption they
> > > are the same, which we can do because we administer both ends.
> > > We're not talking about self-sign up portals and mailing lists,
> > > but things which are under one administration.
> > >
> > > Other than the case of bug report 10604 and Samba 4.2.10 on
> > > Debian, this solution has been working well for us.
> >
> > Sorry, but you still don't seem to have got the message, you map
> > local Unix users to AD users only if you are using Samba as a
> > standalone server or in an NT4-style domain.
> >
> > You do not map users in an AD domain, you make the AD users become
> > local Unix users by adding RFC2307 attributes or by using the
> > winbind 'rid' backend, this way, you do not need the users
> > in /etc/passwd and in fact, they must not be in /etc/passwd
> >
> > rowland at devstation:~$ getent passwd rowland
> > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> > rowland at devstation:~$ cat /etc/passwd | grep rowland
> > rowland at devstation:~$
> > rowland at devstation:~$
> >
> > As you can see, I exist as a local Unix user, but I am not
> > in /etc/passwd
> >
> >
> We're not interested in that solution. On one system I may have tcsh
> shell, or bash on another.  We have different home paths on different
> systems as well.

Can I introduce you to a couple of smb.conf settings:

        template shell = /bin/bash
        template homedir = /home/%U

These, along with the winbind 'rid' backend, will extend your
AD users and do what you require, with the extra benefit of only having
one place to store your users authentication info.
 
> These systems have local storage, not a SAN
> providing /home/MYDOM/username to a user on any system.  I can't
> imagine how ssh keys would be handled with one big unified home
> directory scheme.

Can I also introduce you to the concept of using kerberos with ssh

> 
> I believe we are using it like NT4 style domain with rid user
> mapping.  AD is running
> on Windows servers.

NT4-style domain != AD domain

Rowland




More information about the samba mailing list