[Samba] Man page for idmap_rid
francis picabia
fpicabia at gmail.com
Wed Aug 10 16:12:37 UTC 2016
On Wed, Aug 10, 2016 at 12:17 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 10 Aug 2016 11:36:45 -0300
> francis picabia via samba <samba at lists.samba.org> wrote:
>
> > On Wed, Aug 10, 2016 at 11:04 AM, Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > > On Wed, 10 Aug 2016 10:42:11 -0300
> > > francis picabia via samba <samba at lists.samba.org> wrote:
> > >
> > > >
> > > > On a few dozen systems running Linux and Solaris and in
> > > > production, MYDOM\username = username as far as we are
> > > > concerned. It isn't unique to Samba. Many applications have a
> > > > local user which maps to the AD user and make the assumption they
> > > > are the same, which we can do because we administer both ends.
> > > > We're not talking about self-sign up portals and mailing lists,
> > > > but things which are under one administration.
> > > >
> > > > Other than the case of bug report 10604 and Samba 4.2.10 on
> > > > Debian, this solution has been working well for us.
> > >
> > > Sorry, but you still don't seem to have got the message, you map
> > > local Unix users to AD users only if you are using Samba as a
> > > standalone server or in an NT4-style domain.
> > >
> > > You do not map users in an AD domain, you make the AD users become
> > > local Unix users by adding RFC2307 attributes or by using the
> > > winbind 'rid' backend, this way, you do not need the users
> > > in /etc/passwd and in fact, they must not be in /etc/passwd
> > >
> > > rowland at devstation:~$ getent passwd rowland
> > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> > > rowland at devstation:~$ cat /etc/passwd | grep rowland
> > > rowland at devstation:~$
> > > rowland at devstation:~$
> > >
> > > As you can see, I exist as a local Unix user, but I am not
> > > in /etc/passwd
> > >
> > >
> > We're not interested in that solution. On one system I may have tcsh
> > shell, or bash on another. We have different home paths on different
> > systems as well.
>
> Can I introduce you to a couple of smb.conf settings:
>
> template shell = /bin/bash
> template homedir = /home/%U
>
> These, along with the winbind 'rid' backend, will extend your
> AD users and do what you require, with the extra benefit of only having
> one place to store your users authentication info.
>
> In my world, one user wants zsh, another wants bash.
In my world home directories can involve departments in
the homedir path on only certain servers.
There are likely a dozen flaming hoops I could set up
to make every legacy thing work, but it would be
too much effort and admin overhead for what it does.
/etc/passwd did everything we needed and it still does.
> > These systems have local storage, not a SAN
> > providing /home/MYDOM/username to a user on any system. I can't
> > imagine how ssh keys would be handled with one big unified home
> > directory scheme.
>
> Can I also introduce you to the concept of using kerberos with ssh
>
That might be interesting, as we could turn off winbind, allowing
file shares and AD authentication to work reliably.
> >
> > I believe we are using it like NT4 style domain with rid user
> > mapping. AD is running
> > on Windows servers.
>
> NT4-style domain != AD domain
>
More information about the samba
mailing list