On Sun, 2005-07-03 at 20:27 +0300, Ira Abramov wrote:
>
> to explain: when you use winbind and add a machine into the domain, the
> first time you look up a user she will be mapped to a local UID in an
> "idmap" database. the problem is, there is no hash function to map a
> lanman object's SID, and the idmap database fills up on a "first asked,
> first served" manner. this is a sick mess, since this means that if you
> have several machines winbound, they don't all see the same UIDs mapped
> to the same usernames, which makes NFS impossible.
Not exactly... When winbind service comes up first time, it does several
things:
1) Enumerates trusted domains
2) Reads ALL group objects from trusted domains (including AD) and
generates GIDs by hashing objectSID (octet string LDAP syntax - actually
a byte array) attribute.
3) Reads ALL user/computer objects and generates UIDs (same logic here)
The problem is not with idmap database, but rather with the efficiency
of the LDAP query which asks for all user/computer objects from AD - as
I mentioned already before: in my environment winbind is crashing after
about 20 mins, while trying to enumerate accounts, failing to complete
the LDAP query.
>
> solution one - have one machine enumarate all the UIDs and then copy its
> idmap database, and do that again each time you add users to the AD (yuck)
>
> solution 2 - have the userinfo come from the AD, the authentication from
> the kerberos (as before) and ask Samba to map the ids according to LDAP
> (yuck again). that LDAP server can either run on a separate linux
> machine, or be the LDAP that is already part of the SFU, and so keeps
> those details inside the AD itself, with a "Unix attributes" tag in the
> AD management dialog.
you can share UIDs via LDAP or SQL (OpenLDAP, mySQL), but yuck indeed.
> not NIS, just LDAP. the scheme extensions alone don't let you access
> them. the SFU adds the above mentioned tag to the dialog box.
Who cares about the GUI ? SFU registers a COM object which makes the tab
show up in ADU&C (AD Users & Computers), but you can still access those
attributes from any LDAP browser/editor or using Windows CLI utilities
like dsmod/dsget/dsquery/dsadd/dsrm (surprise, surprise ! there is CLI
in Windows ;-) )
And if you want even more flexibility, search for adfind/admod in
google.
> * On winbound machines of the RHEL 3WS variety, I could "su - user" from
> root without any problem. not so on 3ES, where I got back "su: Invalid
> password". at some point it magicly fixed itself and I could not
> recreate it (good thing?). could it be a kerberos glitch?
Try creating user called "root" in AD and disabling the requirement for
Kerberos pre-authentication on that account ("Account" tab in ADU&C or
adding directly 0x200000 to userAccountControl attribute of the
account).
Guy
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
