John, Thanks again for the feedback.
On the other hand, some sites require the same uid/gid across domain controllers (PDC/BDC) and domain member servers (dms). Where this is required you CAN use NSS-LDAP to get globally consistent uid/gid values for each user and then use idmap_ldap to handle SID to uid/gid mappings. This configuration can get a little messy and my preference is to not have any domain member server but rather make them all domain controllers - that way all BDCs can share the exact same smb.conf configuration for simpler admin.
This is exactly the situation we are in. The vast majority of our workstations are linux/unix based, thus uids/gids are really at the guts of our environment. The majority of our users work in both environments, so it's critical to have everything match.
Someone else (tms3) asked off list whether there was any reason to even both with member servers. While it is certainly the case in a "real" Windows environment, I couldn't come up with a reason why this shouldn't/couldn't be done with a pure samba environment. I just tested and things "appear" to work just fine in a test setup. It "seems" wrong, but there is no reason why it can't work just fine with samba.
The domain member server should be configured so it can write to the LDAP directory so that it can assign (out of the idmap range provided in the smb.conf file) the idmap entries. These should populate into the "idmap suffix" container.
Of course the problem with this is users could end up with multiple gids/uids if we allowed the member servers to assign uids/gids. I now understand why member servers would need to assign uids/gids in a "real" Windows domain and it's likely we could seed LDAP properly so that we could use them as member servers, but for now I think I'll likely go with the massive number of DCs route.
Thanks everyone, I think I've put together a better understanding of some of the samba/NT domain internals... probably just enough to cause some real trouble ;)
Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
