This addressed exactly what I was trying to accomplish. Rid mapping is your friend for this.
-----Original Message----- From: Andrew Masterson [mailto:andrew.master...@nuvistaenergy.com] Sent: Thursday, March 10, 2011 1:54 PM To: Javier Conti Cc: samba@lists.samba.org; Auleta, Michael Subject: RE: [Samba] Winbind & user ID's on multiple servers > -----Original Message----- > From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] > On Behalf Of Javier Conti > Sent: Wednesday, March 09, 2011 4:28 PM > To: TAKAHASHI Motonobu > Cc: samba@lists.samba.org; Mike Auleta > Subject: Re: [Samba] Winbind & user ID's on multiple servers > > On Mar 10, 2011 12:16 AM, "TAKAHASHI Motonobu" <mo...@monyo.com> wrote: > > > > 2011/3/10 Javier Conti <javier.co...@gmail.com>: > > > On 9 March 2011 20:13, Mike Auleta <michael_aul...@condenast.com> wrote: > > >> We're looking at setting up Linux Authentication to our AD servers > using > > >> winbind and need to know if there is a way to keep all the user IDs in > > >> sync across the Linux servers. The way I see it now, the user ID is > > >> assigned numerically depending on the order users log in to a server. > > >> Could make for issues if NFS mounted directories are involved. > > > > > > Hi, I'm using AD 2008 R2 as PDC, and have been successful using the > > > following configuration in /etc/samba/smb.conf on the client: > > > > > > [global] > > (snip) > > > idmap backend = ad > > > idmap config MYDOMAIN : backend = ad > > > idmap config MYDOMAIN : range = 10000 - 20000 > > > idmap config MYDOMAIN : schema_mode = rfc2307 > > > winbind nss info = rfc2307 > > > > > > Since this configuration uses the Posix attributes found in the > > > rfc2307 schema, I have the uidNumber attribute of users and the > > > gidNumber attribute of groups populated with the IDs used in Unix (and > > > in the range between 10000 and 20000). > > > > "idmap backend" should be a "writeable" backend such as tdb or ldap. > > If someone manages user and groups on the AD, thus assigning uidNumbers and > gidNumbers on it, is it still necessary (or a real advantage) for the idmap > backend to be writeable? > > Just wondering... Javier > > > > > Anyway, to synclonize UID, you can also use "rid" or "ldap" instead of > "ad". > > If you simply want to sync UIDs, "rid" is a better choice, I think. > > For example: > > > > idmap config DOMAIN:range = 1000000 - 1999999 > > idmap config DOMAIN:base_rid = 0 > > idmap config DOMAIN:backend = rid > > > > Please refer to manpages in the detail. > > This is why, if you have a single domain and no weird setup, RID mapping is best. You get consistent mapping across all domain member servers and it's easy to port stuff around. I messed around with the other stuff and SFU, but RID is the easiest by far. -=Andrew ------------------------------------------------------------------------------------------------ This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information. Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba