Re: ADS Domain Member smb.conf using idmap_ad

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/23/2011 08:44 AM, TAKAHASHI Motonobu wrote:
Firstly, I recommend that you configure both Active Directory and
Samba to configure Winbind in your lab.

From: Freeman<flo@xxxxxxxxxxxxx>
Date: Wed, 23 Nov 2011 08:17:55 -0500

Have you already set values into "UNIX attributes" for every user you
want to "activate" under Winbind.
I believed on the windows side, the windows admin had already mapped the
unix user uid/gid to the windows domain via some windows/unix converter
tool.
You need to confirm what was done, I think.
The unix ID which were mapped to the windows domain on the server 2008 RC 2 are all from central campus user ID, not the user ID local to me where i have set up a small NIS service for the 25 people i support. The campus uid/gid is comprehensive. The range of uid from campus varies from low values to high values. These uid are coming from campus's unix uid passwd file, which were manually mapped to the campus's windows domain by the local windows admin for all 25 staff.

As far as unix attributes, the uid(s) from campus for all 25 of us were set but propbably nothing else. I am not sure of what other unix attributes were made available onto the windows side. I am also unaware as to what other tasks that needed to be done on the windows side to have the uid properly mapped. The local windows admin only told me that all he did was to edit the domain table for each of the 25 users with campus uid and gid.
idmap config AD : default = yes
idmap config AD : cache time = 180
idmap config AD : backend  = ad
# idmap config AD : range = 100001-200000
idmap config AD : schema_mode = rfc2307
Of cource, uid/gids are set between 100001-200000 on Active Directory?

These uid and gid will be using from campus's passwd file. I have to locate all 25 staff including myself in order to come up with a range. There is no consistency as in the uid value from campus. It all depends when this person was accepted into the university as a student or was hired. This will be painful. I have to grep on that passwd / groups file to see all of their uid and gid.
If you set "idmap config AD : range = 100001-200000", all uid/gids
except 100001-200000 cannot be mapped. Also remember an user whose
primary group cannot be mapped is failed to map.

Thanks, this is good to know.
idmap config AD : schema_mode = rfc2307
I am running samba version: Version 3.5.11-79. fc14. Trying to join
linux servers to the windows 2003 domain by running winbind and smb.  I
Your AD's DCs are Windows Server 2003 or Windows Server 2003 R2?
If Windows Server 2003, you use sfu instead of rfc2307. See
   http://support.microsoft.com/kb/921599/en-us

my apologies, i am lacking skills on the understanding of windows domain. Campus is running 2008 RC2 server. so, rfc2307 will work for me instead of sfu ?
I thought the uid/gid mapping to the sid is all done by either
winbind or samba, if smb.conf is configured properly.
Again I have to say that uid/gid does not have nothing to do with
SID/RID.

Setting "idmap backend = ad" only enables that uid/gid/shell and
homedir values are retrieved from those set in "UNIX attributes",
which does not mean to map to SID.

The goal is pretty simple, we would like to have all of the linux
machines joining the campus windows AD domain as a member. Instead of
using the NIS account with all of the linux machine, we would like to
log onto the linux servers with the domain account from the window side
and to mount a windows share upon a user log in.
If you keep current uid/gids maintained by NIS, you should use
idmap_ad(8). If not, idmap_rid(8) is easy to configure.

thank you again in explaining to be the difference. i am about 99% certain i would have to go with idmap_ad since the uid/gid from groups/passwd files are manually added into campus's windows active directory.

would my configuration be accurate for someone who wishes to join a windows 2008 RC2 domain with proper access to windows shares ?
   idmap backend = tdb <-- the value here i am unsure
   idmap config AD : default = yes
   idmap config AD : cache time = 180
   idmap config AD : backend  = ad


what are these two settings then ? Are they significant ?
   idmap uid = 1000-5000000
   idmap gid = 1000-5000000

I would have to query the campus passwd file to see what might be a possible range for the line below.
 idmap config AD : range = XXX-XXX

freeman
---
TAKAHASHI Motonobu<monyo@xxxxxxxxxxx>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Index of Archives]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [RAID]     [Trinity TED Users]     [Yosemite News]
  Powered by Linux