[Samba] id mapping
rpenny at samba.org
Fri Sep 24 06:50:31 UTC 2021
On Thu, 2021-09-23 at 18:06 -0500, Patrick Goetz via samba wrote:
> Right. But I"m talking about the use case where you use the ad id
> mapping. Sorry to be a pest, I'm perfectly willing to accept that
> still confused, but my understanding is that if you use the ad id
> mapping, when a user saves a file to the Samba file server the UID
> uses for file owner is the uidNumber attribute stored in AD with the
> user's record. If that same file server is providing NFS service
> sec=sys, the UIDs on the respective systems would match even though
> linux client has a local /etc/passwd user with UID 1517. Not
> this is advisable, just that it's do-able.
Yes, that would be the only way to do it, use the winbind 'ad' backend
and give your AD users a uidNumber containing the ID you want that user
to have, but you do not need and shouldn't have users in AD and
/etc/passwd , the same goes for groups.
> OK, just thought of a use case where this might make sense: a
> cluster where the nodes live entirely behind the master node with no
> network access. Warewulf, for example, has nodes boot from a golden
> image and has scripts to update /etc/passwd, /etc/shadow, and
> in the golden image when your user base changes. In this case it's
> conceivable that your master node could be bound to a domain and you
> have some automated mechanism for regularly updating the nodes'
> /etc/passwd file from the AD security group authorized to access the
> cluster. Typically one doesn't allow password authentication to such
> nodes anyway. You use either ssh keys, host-based authentication, or
> many cases you don't want the users mucking about on the nodes at
> because they're supposed to submit jobs through a scheduling system
> not try to game the system. You do, however, need authorization to
> for data file access.
Never used Warewulf, can it work with AD ?
More information about the samba