> -----Original Message----- > From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] > On Behalf Of Javier Conti > Sent: Wednesday, March 09, 2011 4:28 PM > To: TAKAHASHI Motonobu > Cc: samba@lists.samba.org; Mike Auleta > Subject: Re: [Samba] Winbind & user ID's on multiple servers > > On Mar 10, 2011 12:16 AM, "TAKAHASHI Motonobu" <mo...@monyo.com> wrote: > > > > 2011/3/10 Javier Conti <javier.co...@gmail.com>: > > > On 9 March 2011 20:13, Mike Auleta <michael_aul...@condenast.com> wrote: > > >> We're looking at setting up Linux Authentication to our AD servers > using > > >> winbind and need to know if there is a way to keep all the user IDs in > > >> sync across the Linux servers. The way I see it now, the user ID is > > >> assigned numerically depending on the order users log in to a server. > > >> Could make for issues if NFS mounted directories are involved. > > > > > > Hi, I'm using AD 2008 R2 as PDC, and have been successful using the > > > following configuration in /etc/samba/smb.conf on the client: > > > > > > [global] > > (snip) > > > idmap backend = ad > > > idmap config MYDOMAIN : backend = ad > > > idmap config MYDOMAIN : range = 10000 - 20000 > > > idmap config MYDOMAIN : schema_mode = rfc2307 > > > winbind nss info = rfc2307 > > > > > > Since this configuration uses the Posix attributes found in the > > > rfc2307 schema, I have the uidNumber attribute of users and the > > > gidNumber attribute of groups populated with the IDs used in Unix (and > > > in the range between 10000 and 20000). > > > > "idmap backend" should be a "writeable" backend such as tdb or ldap. > > If someone manages user and groups on the AD, thus assigning uidNumbers and > gidNumbers on it, is it still necessary (or a real advantage) for the idmap > backend to be writeable? > > Just wondering... Javier > > > > > Anyway, to synclonize UID, you can also use "rid" or "ldap" instead of > "ad". > > If you simply want to sync UIDs, "rid" is a better choice, I think. > > For example: > > > > idmap config DOMAIN:range = 1000000 - 1999999 > > idmap config DOMAIN:base_rid = 0 > > idmap config DOMAIN:backend = rid > > > > Please refer to manpages in the detail. > >
This is why, if you have a single domain and no weird setup, RID mapping is best. You get consistent mapping across all domain member servers and it's easy to port stuff around. I messed around with the other stuff and SFU, but RID is the easiest by far. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
