Re: [Samba] Winbind user ID's on multiple servers
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Javier Conti Sent: Wednesday, March 09, 2011 4:28 PM To: TAKAHASHI Motonobu Cc: samba@lists.samba.org; Mike Auleta Subject: Re: [Samba] Winbind user ID's on multiple servers On Mar 10, 2011 12:16 AM, TAKAHASHI Motonobu mo...@monyo.com wrote: 2011/3/10 Javier Conti javier.co...@gmail.com: On 9 March 2011 20:13, Mike Auleta michael_aul...@condenast.com wrote: We're looking at setting up Linux Authentication to our AD servers using winbind and need to know if there is a way to keep all the user IDs in sync across the Linux servers. The way I see it now, the user ID is assigned numerically depending on the order users log in to a server. Could make for issues if NFS mounted directories are involved. Hi, I'm using AD 2008 R2 as PDC, and have been successful using the following configuration in /etc/samba/smb.conf on the client: [global] (snip) idmap backend = ad idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1 - 2 idmap config MYDOMAIN : schema_mode = rfc2307 winbind nss info = rfc2307 Since this configuration uses the Posix attributes found in the rfc2307 schema, I have the uidNumber attribute of users and the gidNumber attribute of groups populated with the IDs used in Unix (and in the range between 1 and 2). idmap backend should be a writeable backend such as tdb or ldap. If someone manages user and groups on the AD, thus assigning uidNumbers and gidNumbers on it, is it still necessary (or a real advantage) for the idmap backend to be writeable? Just wondering... Javier Anyway, to synclonize UID, you can also use rid or ldap instead of ad. If you simply want to sync UIDs, rid is a better choice, I think. For example: idmap config DOMAIN:range = 100 - 199 idmap config DOMAIN:base_rid = 0 idmap config DOMAIN:backend = rid Please refer to manpages in the detail. This is why, if you have a single domain and no weird setup, RID mapping is best. You get consistent mapping across all domain member servers and it's easy to port stuff around. I messed around with the other stuff and SFU, but RID is the easiest by far. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind user ID's on multiple servers
This addressed exactly what I was trying to accomplish. Rid mapping is your friend for this. -Original Message- From: Andrew Masterson [mailto:andrew.master...@nuvistaenergy.com] Sent: Thursday, March 10, 2011 1:54 PM To: Javier Conti Cc: samba@lists.samba.org; Auleta, Michael Subject: RE: [Samba] Winbind user ID's on multiple servers -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Javier Conti Sent: Wednesday, March 09, 2011 4:28 PM To: TAKAHASHI Motonobu Cc: samba@lists.samba.org; Mike Auleta Subject: Re: [Samba] Winbind user ID's on multiple servers On Mar 10, 2011 12:16 AM, TAKAHASHI Motonobu mo...@monyo.com wrote: 2011/3/10 Javier Conti javier.co...@gmail.com: On 9 March 2011 20:13, Mike Auleta michael_aul...@condenast.com wrote: We're looking at setting up Linux Authentication to our AD servers using winbind and need to know if there is a way to keep all the user IDs in sync across the Linux servers. The way I see it now, the user ID is assigned numerically depending on the order users log in to a server. Could make for issues if NFS mounted directories are involved. Hi, I'm using AD 2008 R2 as PDC, and have been successful using the following configuration in /etc/samba/smb.conf on the client: [global] (snip) idmap backend = ad idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1 - 2 idmap config MYDOMAIN : schema_mode = rfc2307 winbind nss info = rfc2307 Since this configuration uses the Posix attributes found in the rfc2307 schema, I have the uidNumber attribute of users and the gidNumber attribute of groups populated with the IDs used in Unix (and in the range between 1 and 2). idmap backend should be a writeable backend such as tdb or ldap. If someone manages user and groups on the AD, thus assigning uidNumbers and gidNumbers on it, is it still necessary (or a real advantage) for the idmap backend to be writeable? Just wondering... Javier Anyway, to synclonize UID, you can also use rid or ldap instead of ad. If you simply want to sync UIDs, rid is a better choice, I think. For example: idmap config DOMAIN:range = 100 - 199 idmap config DOMAIN:base_rid = 0 idmap config DOMAIN:backend = rid Please refer to manpages in the detail. This is why, if you have a single domain and no weird setup, RID mapping is best. You get consistent mapping across all domain member servers and it's easy to port stuff around. I messed around with the other stuff and SFU, but RID is the easiest by far. -=Andrew This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information. Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind user ID's on multiple servers
We're looking at setting up Linux Authentication to our AD servers using winbind and need to know if there is a way to keep all the user IDs in sync across the Linux servers. The way I see it now, the user ID is assigned numerically depending on the order users log in to a server. Could make for issues if NFS mounted directories are involved. Thanks - Mike This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information. Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind user ID's on multiple servers
On 9 March 2011 20:13, Mike Auleta michael_aul...@condenast.com wrote: We're looking at setting up Linux Authentication to our AD servers using winbind and need to know if there is a way to keep all the user IDs in sync across the Linux servers. The way I see it now, the user ID is assigned numerically depending on the order users log in to a server. Could make for issues if NFS mounted directories are involved. Hi, I'm using AD 2008 R2 as PDC, and have been successful using the following configuration in /etc/samba/smb.conf on the client: [global] workgroup = MYDOMAIN realm = DNSDOMAIN security = ADS idmap backend = ad idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1 - 2 idmap config MYDOMAIN : schema_mode = rfc2307 winbind nss info = rfc2307 Since this configuration uses the Posix attributes found in the rfc2307 schema, I have the uidNumber attribute of users and the gidNumber attribute of groups populated with the IDs used in Unix (and in the range between 1 and 2). Hope this helps, Jaiver Thanks - Mike This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information. Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind user ID's on multiple servers
2011/3/10 Javier Conti javier.co...@gmail.com: On 9 March 2011 20:13, Mike Auleta michael_aul...@condenast.com wrote: We're looking at setting up Linux Authentication to our AD servers using winbind and need to know if there is a way to keep all the user IDs in sync across the Linux servers. The way I see it now, the user ID is assigned numerically depending on the order users log in to a server. Could make for issues if NFS mounted directories are involved. Hi, I'm using AD 2008 R2 as PDC, and have been successful using the following configuration in /etc/samba/smb.conf on the client: [global] (snip) idmap backend = ad idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1 - 2 idmap config MYDOMAIN : schema_mode = rfc2307 winbind nss info = rfc2307 Since this configuration uses the Posix attributes found in the rfc2307 schema, I have the uidNumber attribute of users and the gidNumber attribute of groups populated with the IDs used in Unix (and in the range between 1 and 2). idmap backend should be a writeable backend such as tdb or ldap. Anyway, to synclonize UID, you can also use rid or ldap instead of ad. If you simply want to sync UIDs, rid is a better choice, I think. For example: idmap config DOMAIN:range = 100 - 199 idmap config DOMAIN:base_rid = 0 idmap config DOMAIN:backend = rid Please refer to manpages in the detail. --- TAKAHASHI Motonobu mo...@monyo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind user ID's on multiple servers
On Mar 10, 2011 12:16 AM, TAKAHASHI Motonobu mo...@monyo.com wrote: 2011/3/10 Javier Conti javier.co...@gmail.com: On 9 March 2011 20:13, Mike Auleta michael_aul...@condenast.com wrote: We're looking at setting up Linux Authentication to our AD servers using winbind and need to know if there is a way to keep all the user IDs in sync across the Linux servers. The way I see it now, the user ID is assigned numerically depending on the order users log in to a server. Could make for issues if NFS mounted directories are involved. Hi, I'm using AD 2008 R2 as PDC, and have been successful using the following configuration in /etc/samba/smb.conf on the client: [global] (snip) idmap backend = ad idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1 - 2 idmap config MYDOMAIN : schema_mode = rfc2307 winbind nss info = rfc2307 Since this configuration uses the Posix attributes found in the rfc2307 schema, I have the uidNumber attribute of users and the gidNumber attribute of groups populated with the IDs used in Unix (and in the range between 1 and 2). idmap backend should be a writeable backend such as tdb or ldap. If someone manages user and groups on the AD, thus assigning uidNumbers and gidNumbers on it, is it still necessary (or a real advantage) for the idmap backend to be writeable? Just wondering... Javier Anyway, to synclonize UID, you can also use rid or ldap instead of ad. If you simply want to sync UIDs, rid is a better choice, I think. For example: idmap config DOMAIN:range = 100 - 199 idmap config DOMAIN:base_rid = 0 idmap config DOMAIN:backend = rid Please refer to manpages in the detail. --- TAKAHASHI Motonobu mo...@monyo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba