Re: [Samba] Samba4, multi-domain Forest and Unix ID mapping
On Fri, 2008-06-13 at 12:59 -0600, Trever L. Adams wrote: Well, Samba 4 so, if it has an internal (I think that has been abandoned, but not certain) then that, OpenLDAP or Fedora DS will be the backend. I am leaning toward Fedora DS, but I am not certain and will accept suggestions. I'll look at the rest of the discussion later, but I want to assure you that the 'internal' backed on Samba4 is still the primary focus. The LDAP backend experiment continues, and seems to work, but needs the help and testing of interested users. Questions about Samba4 can best be directed to the samba-technical list, where I will notice them better. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba4, multi-domain Forest and Unix ID mapping
On Wed, 2008-06-11 at 01:33 -0600, Trever L. Adams wrote: Good day, I wasn't sure whether this should go to the user list or the samba-technical list. I chose here based on the descriptions of the list. Forgive me if my understanding of the naming is inaccurate. It is my understanding that Samba3 (and I believe 4, as well) has a very powerful SID-UID mapping mechanism which will auto create the UID in a range. This is what I mean by Unix ID mapping. I have read that this as of yet won't work in a forest, even if the organization is only one organization. I am hoping this isn't true. We can map any arbitary SID to unix ID, in principal. I am beginning to look at Samba4 for future implementations within organizations I do work for. However, it appears I will need multiple domain in one forest functionality. Is this implemented or at least planned? Samba4 is currently just a single domain, mostly because we have not looked at what it would take to extend it. If it is implemented/planned is it possible to do the automatic Unix ID mapping per above? If it is all one domain, is it possible to do this if all the domain controllers/active directory machines are Samba 4? Basically, can each domain have its own UID mapping setup and they will work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The exact mechanism my questions may bring into mind may be bad. You could easily use a modal like idmap_rid to automatically handle the mappings, assuming certain limits in the ranges of SIDs expected to be valid. Here is the situation, explained in the context of an extended family network: Each family has its own domain (Windows and DNS), policies, etc. Each has its own file servers, mail domains (DNS), etc. Each may share file and printers with other families. This needs to work in Windows and Linux. However, here is the killer, root access to Linux machines is not shared across domains. Nor should Windows system/net/domain admin abilities. However, guests from other families (within the extended family) need to be able to view the shared files as well as login (without administrative privileges) on computers in the other domains (think visiting family). To do this, auto SID-UID maps are a must. Domains within the forest will start at 6 at least and grow from there. (This is example isn't far from the kinds of things businesses and families ask me to do.) Is all of this possible, planned, or just out there? We would need more help to understand your requirements, and figure out the best way to implement them, and what assistance you will be able to provide to get there. It is best to discuss this on the samba-technical list. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba4, multi-domain Forest and Unix ID mapping
Charlie wrote: When you say forest are you referring to a user authentication database implementing multiple linked lists that do not share a common root? First, thank you for responding. I must also say I have been out of Windows land for some time. I last really messed with Windows Networking around NT 4.0. By Forest, I mean: At the top of the structure is the Forest - the collection of every object, its attributes, and rules (attribute syntax) in the AD. The forest holds one or more transitive, trust-linked Trees. A tree holds one or more Domains and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace. (http://en.wikipedia.org/wiki/Active_Directory#Forests.2C_trees.2C_and_domains) So, I am looking for something like: family1.example.com (uids=1000.1999, for example) family2.example.com (uids=2000.2999) family3.example.com (uids=3000.3999) family4.example.com (uids=4000.4999) family5.example.com (uids=5000.5999) family6.example.com (uids=6000.6999) Where each is a separate domain that trusts the other, and is within one forest/tree. Also, they must use something like idmap_ldap (or the equivalent) in Samba4 and that mapping must be valid and usable so that people in each domain can log in on boxes in the other domains as Linux and Windows users and share files and printers without uid collisions or other such problems. The only exception is root (uid=0) as each family may or may not want root to be shared. Again, I am using the family example as it fits even the business cases. I am hoping that Linux users can login doing something like windows ([EMAIL PROTECTED] or domain\user). Samba 3 4 do indeed incorporate idmapping which works pretty much as you describe. The command syntax has grown a lot recently and has not yet been fully documented, but I'd say it's quite powerful. If you can get your interdomain trusts set up right I think you can do what you want, but it's probably going to be dependent on how well you can control access to your directory backend. Well, I once read that, at least at one point, idmap didn't work in this setup. I was wondering if it has changed (as I can no longer find the reference). Also, yes, these will all be Samba based domains (Active Directory style). All clients will likely be Vista Business or Ultimate. You haven't specified what directory backend you are running... Microsoft AD? Novell eDirectory? OpenLDAP? Sun? IBM? Fedora DS? There are lots... --Charlie Well, Samba 4 so, if it has an internal (I think that has been abandoned, but not certain) then that, OpenLDAP or Fedora DS will be the backend. I am leaning toward Fedora DS, but I am not certain and will accept suggestions. I hope this corrects and clarifies my question enough that I can get an accurate response. This is a forward looking query and I am only interested in Samba 4 as it must be Active Directory and Windows server free. Thank you, Trever Adams On Wed, Jun 11, 2008 at 3:33 AM, Trever L. Adams [EMAIL PROTECTED] wrote: Good day, I wasn't sure whether this should go to the user list or the samba-technical list. I chose here based on the descriptions of the list. Forgive me if my understanding of the naming is inaccurate. It is my understanding that Samba3 (and I believe 4, as well) has a very powerful SID-UID mapping mechanism which will auto create the UID in a range. This is what I mean by Unix ID mapping. I have read that this as of yet won't work in a forest, even if the organization is only one organization. I am hoping this isn't true. I am beginning to look at Samba4 for future implementations within organizations I do work for. However, it appears I will need multiple domain in one forest functionality. Is this implemented or at least planned? If it is implemented/planned is it possible to do the automatic Unix ID mapping per above? If it is all one domain, is it possible to do this if all the domain controllers/active directory machines are Samba 4? Basically, can each domain have its own UID mapping setup and they will work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The exact mechanism my questions may bring into mind may be bad. Here is the situation, explained in the context of an extended family network: Each family has its own domain (Windows and DNS), policies, etc. Each has its own file servers, mail domains (DNS), etc. Each may share file and printers with other families. This needs to work in Windows and Linux. However, here is the killer, root access to Linux machines is not shared across domains. Nor should Windows system/net/domain admin abilities. However, guests from other families (within the extended family) need to be able to view the shared files as well as login (without administrative privileges) on computers in the other domains (think visiting family). To do this, auto SID-UID maps are a must. Domains within the
Re: [Samba] Samba4, multi-domain Forest and Unix ID mapping
When you say forest are you referring to a user authentication database implementing multiple linked lists that do not share a common root? Cause I don't know of any reason you'd have trouble running samba in the woods. It's heavily wooded around my house and the timber never causes any problems. The local Ents are all OK with samba. Samba 3 4 do indeed incorporate idmapping which works pretty much as you describe. The command syntax has grown a lot recently and has not yet been fully documented, but I'd say it's quite powerful. If you can get your interdomain trusts set up right I think you can do what you want, but it's probably going to be dependent on how well you can control access to your directory backend. You haven't specified what directory backend you are running... Microsoft AD? Novell eDirectory? OpenLDAP? Sun? IBM? Fedora DS? There are lots... --Charlie On Wed, Jun 11, 2008 at 3:33 AM, Trever L. Adams [EMAIL PROTECTED] wrote: Good day, I wasn't sure whether this should go to the user list or the samba-technical list. I chose here based on the descriptions of the list. Forgive me if my understanding of the naming is inaccurate. It is my understanding that Samba3 (and I believe 4, as well) has a very powerful SID-UID mapping mechanism which will auto create the UID in a range. This is what I mean by Unix ID mapping. I have read that this as of yet won't work in a forest, even if the organization is only one organization. I am hoping this isn't true. I am beginning to look at Samba4 for future implementations within organizations I do work for. However, it appears I will need multiple domain in one forest functionality. Is this implemented or at least planned? If it is implemented/planned is it possible to do the automatic Unix ID mapping per above? If it is all one domain, is it possible to do this if all the domain controllers/active directory machines are Samba 4? Basically, can each domain have its own UID mapping setup and they will work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The exact mechanism my questions may bring into mind may be bad. Here is the situation, explained in the context of an extended family network: Each family has its own domain (Windows and DNS), policies, etc. Each has its own file servers, mail domains (DNS), etc. Each may share file and printers with other families. This needs to work in Windows and Linux. However, here is the killer, root access to Linux machines is not shared across domains. Nor should Windows system/net/domain admin abilities. However, guests from other families (within the extended family) need to be able to view the shared files as well as login (without administrative privileges) on computers in the other domains (think visiting family). To do this, auto SID-UID maps are a must. Domains within the forest will start at 6 at least and grow from there. (This is example isn't far from the kinds of things businesses and families ask me to do.) Is all of this possible, planned, or just out there? Thank you, Trever Adams P.S. Please, reply directly as well as to the list as I am not on the list and only keep up from time to time. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba4, multi-domain Forest and Unix ID mapping
Good day, I wasn't sure whether this should go to the user list or the samba-technical list. I chose here based on the descriptions of the list. Forgive me if my understanding of the naming is inaccurate. It is my understanding that Samba3 (and I believe 4, as well) has a very powerful SID-UID mapping mechanism which will auto create the UID in a range. This is what I mean by Unix ID mapping. I have read that this as of yet won't work in a forest, even if the organization is only one organization. I am hoping this isn't true. I am beginning to look at Samba4 for future implementations within organizations I do work for. However, it appears I will need multiple domain in one forest functionality. Is this implemented or at least planned? If it is implemented/planned is it possible to do the automatic Unix ID mapping per above? If it is all one domain, is it possible to do this if all the domain controllers/active directory machines are Samba 4? Basically, can each domain have its own UID mapping setup and they will work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The exact mechanism my questions may bring into mind may be bad. Here is the situation, explained in the context of an extended family network: Each family has its own domain (Windows and DNS), policies, etc. Each has its own file servers, mail domains (DNS), etc. Each may share file and printers with other families. This needs to work in Windows and Linux. However, here is the killer, root access to Linux machines is not shared across domains. Nor should Windows system/net/domain admin abilities. However, guests from other families (within the extended family) need to be able to view the shared files as well as login (without administrative privileges) on computers in the other domains (think visiting family). To do this, auto SID-UID maps are a must. Domains within the forest will start at 6 at least and grow from there. (This is example isn't far from the kinds of things businesses and families ask me to do.) Is all of this possible, planned, or just out there? Thank you, Trever Adams P.S. Please, reply directly as well as to the list as I am not on the list and only keep up from time to time. signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba