[Samba] id mapping

[Rowland Penny]

On Thu, 2021-09-23 at 18:06 -0500, Patrick Goetz via samba wrote:
> 
> 
> 
> Right.  But I"m talking about the use case where you use the ad id 
> mapping. Sorry to be a pest, I'm perfectly willing to accept that
> I'm 
> still confused, but my understanding is that if you use the ad id 
> mapping, when a user saves a file to the Samba file server the UID
> it 
> uses for file owner is the uidNumber attribute stored in AD with the 
> user's record.  If that same file server is providing NFS service
> with 
> sec=sys, the UIDs on the respective systems would match even though
> the 
> linux client has a local /etc/passwd user with UID 1517. Not
> suggesting 
> this is advisable, just that it's do-able.

Yes, that would be the only way to do it, use the winbind 'ad' backend
and give your AD users a uidNumber containing the ID you want that user
to have, but you do not need and shouldn't have users in AD and
/etc/passwd , the same goes for groups.

> 
> OK, just thought of a use case where this might make sense: a
> compute 
> cluster where the nodes live entirely behind the master node with no 
> network access. Warewulf, for example, has nodes boot from a golden 
> image and has scripts to update /etc/passwd, /etc/shadow, and
> /etc/group 
> in the golden image when your user base changes. In this case it's 
> conceivable that your master node could be bound to a domain and you 
> have some automated mechanism for regularly updating the nodes' 
> /etc/passwd file from the AD security group authorized to access the 
> cluster. Typically one doesn't allow password authentication to such 
> nodes anyway. You use either ssh keys, host-based authentication, or
> in 
> many cases you don't want the users mucking about on the nodes at
> all 
> because they're supposed to submit jobs through a scheduling system
> and 
> not try to game the system. You do, however, need authorization to
> work 
> for data file access.
> 


Never used Warewulf, can it work with AD ?

Rowland