On Sun, 2005-07-03 at 20:27 +0300, Ira Abramov wrote: > > to explain: when you use winbind and add a machine into the domain, the > first time you look up a user she will be mapped to a local UID in an > "idmap" database. the problem is, there is no hash function to map a > lanman object's SID, and the idmap database fills up on a "first asked, > first served" manner. this is a sick mess, since this means that if you > have several machines winbound, they don't all see the same UIDs mapped > to the same usernames, which makes NFS impossible. Not exactly... When winbind service comes up first time, it does several things: 1) Enumerates trusted domains 2) Reads ALL group objects from trusted domains (including AD) and generates GIDs by hashing objectSID (octet string LDAP syntax - actually a byte array) attribute. 3) Reads ALL user/computer objects and generates UIDs (same logic here)
The problem is not with idmap database, but rather with the efficiency of the LDAP query which asks for all user/computer objects from AD - as I mentioned already before: in my environment winbind is crashing after about 20 mins, while trying to enumerate accounts, failing to complete the LDAP query. > > solution one - have one machine enumarate all the UIDs and then copy its > idmap database, and do that again each time you add users to the AD (yuck) > > solution 2 - have the userinfo come from the AD, the authentication from > the kerberos (as before) and ask Samba to map the ids according to LDAP > (yuck again). that LDAP server can either run on a separate linux > machine, or be the LDAP that is already part of the SFU, and so keeps > those details inside the AD itself, with a "Unix attributes" tag in the > AD management dialog. you can share UIDs via LDAP or SQL (OpenLDAP, mySQL), but yuck indeed. > not NIS, just LDAP. the scheme extensions alone don't let you access > them. the SFU adds the above mentioned tag to the dialog box. Who cares about the GUI ? SFU registers a COM object which makes the tab show up in ADU&C (AD Users & Computers), but you can still access those attributes from any LDAP browser/editor or using Windows CLI utilities like dsmod/dsget/dsquery/dsadd/dsrm (surprise, surprise ! there is CLI in Windows ;-) ) And if you want even more flexibility, search for adfind/admod in google. > * On winbound machines of the RHEL 3WS variety, I could "su - user" from > root without any problem. not so on 3ES, where I got back "su: Invalid > password". at some point it magicly fixed itself and I could not > recreate it (good thing?). could it be a kerberos glitch? Try creating user called "root" in AD and disabling the requirement for Kerberos pre-authentication on that account ("Account" tab in ADU&C or adding directly 0x200000 to userAccountControl attribute of the account). Guy ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]