On 04/08/12 09:39, NdK wrote:
Il 03/08/2012 16:21, steve ha scritto:

That's quite easy in Samba3 but which tdb's must I remove in Samba4? In
fact, how would I rejoin the DC to itself?
You shouldn't use DCs for anything else other than DC. No file server.
No gateway. *Nothing*. They're a crytical piece of your network
infrastructure and must be as closed as possible.

Hi Diego. Hi everyone
I'd like to have a separate fileserver running s3fs on another Samba4 installation. Could I do that by installing Samba4 and joining the domain as a member rather than a DC?

The NFS server doesn't care about Samba at all: it reveives UIDs adn
GIDs and stores 'em as given. No mapping happens here.

Yep. Got that bit

What makes me think you have a *big* misunderstanding about what winbnd
mapping does is this sentence from another message:
If winbind is doing the mapping correctly it should map 3000027 to
3000002

Yes, I did misunderstand that. I've now adjusted my brain to match:-)


No. Winbind maps back and forth between user *names* (and groups) and
*UIDs* (and GIDs), not between server UIDs and local GIDs ! It doesn't
know if an UID is local or from a server.

So, that means that (given no other kind of access to the NFS server is
allowed) it's enough that all your *clients* use the same mapping
between SIDs and UIDs/GIDs and you're OK. If not, you have a big problem.

You have many ways to obtain that "same mapping" objective. I chose to
use rid 'cause I couldn't modify my AD schema. But the preferred way is
extend AD schema and specify there the UIDs and GIDs.

You don't have to extend the schema. You can store all the rfc2307 attributes and objects (posixAccount, posixGroup, uidNumber,gidNumber. . .) in the m$ schema that ships with S4.


Hope this helps to clarify.

Yes it does. Thank you.

My aim is to have:
idmap config : MYDOMAIN : backend = ad
and
idmap config : MYDOMAIN : range = abc-def

recognised and with the uidNumber and gidNumber attributes being pulled from AD rather than any other mapping. To this end I have a test user user object with:
objectClass: posixAccount
uidNumber: xyz
gidNumber abc

and a test group object:

objectClass: posixGroup
gidNumber: abc

I assume that with the ad backend both the user and group will come from AD and not idmap.

Just waiting for the test lan to install and compile a totally new openSUSE 12.1 with Samba4 and a vBox openSUSE client, also fresh install.

How am I doing?
Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to