Adams Samuel D Contr AFRL/HEDR
2006-May-24 15:57 UTC
[Samba] winbind + consistent uid & gid
I am trying to get out Linux boxes to authenticate against our AD domain. We have that part working just fine using Kerberos and winbind. The problem is when we use NFS on multiple machines. As you could guess, the UIDs and GIDs are not consistent across all of the machines. From what I have been reading on the internet, this seems to be common problem, but all the solutions that I have found don't seem to work for me. Putting "idmap backend = idmap_rid:DOMNAME=1000-1000000" in the smb.conf file seemed promising, but it didn't work for me. Do you have any recommendations to get this to work? It is kind of critical to have a distributed file system. It is not an option to modify out AD severs. Sam Adams General Dynamics - Network Systems Phone: 210.536.5945
You'll have to use ldap for storing the mapping idmap backend = ldap:ldap://your.ldap.server and uses smbpasswd -w to store the pass to access the ldap server Emmanuel Le Mercredi 24 Mai 2006 17:48, Adams Samuel D Contr AFRL/HEDR a ?crit?:> I am trying to get out Linux boxes to authenticate against our AD > domain. We have that part working just fine using Kerberos and winbind. > The problem is when we use NFS on multiple machines. As you could > guess, the UIDs and GIDs are not consistent across all of the machines. > From what I have been reading on the internet, this seems to be common > problem, but all the solutions that I have found don't seem to work for > me. Putting "idmap backend = idmap_rid:DOMNAME=1000-1000000" in the > smb.conf file seemed promising, but it didn't work for me. Do you have > any recommendations to get this to work? It is kind of critical to have > a distributed file system. It is not an option to modify out AD severs. > > > > Sam Adams > > General Dynamics - Network Systems > > Phone: 210.536.5945
Adams Samuel D Contr AFRL/HEDR
2006-May-31 15:06 UTC
[Samba] winbind + consistent uid & gid
It looks like this is what we want to do. We have more than one domain in our forest, but people should log in from only one domain to our Linux Boxes. So it should work still right? "Winbind/NSS uses RID based IDMAP: The IDMAP_RID facility is new to Samba version 3.0.8. It was added to make life easier for a number of sites that are committed to use of MS ADS, that do not apply an ADS schema extension, and that do not have an installed an LDAP directory server just for the purpose of maintaining an IDMAP table. If you have a single ADS domain (not a forest of domains, and not multiple domain trees) and you want a simple cookie-cutter solution to the IDMAP table problem, then IDMAP_RID is an obvious choice. This facility requires the allocation of the idmap uid and the idmap gid ranges, and within the idmap uid it is possible to allocate a subset of this range for automatic mapping of the relative identifier (RID) portion of the SID directly to the base of the UID plus the RID value. For example, if the idmap uid range is 1000-100000000 and the idmap backend idmap_rid:DOMAIN_NAME=1000-50000000, and a SID is encountered that has the value S-1-5-21-34567898-12529001-32973135-1234, the resulting UID will be 1000 + 1234 = 2234." We are running samba 3.0.10 on our CentOS 4.2 boxes. I think we have the smb.conf file correct, but we are getting this message in our logs. " May 30 15:01:22 Cent01 winbindd[2861]: [2006/05/30 15:01:22, 0] sam/idmap.c:idmap_init(142) May 30 15:01:22 Cent01 winbindd[2861]: idmap_init: could not load remote backend 'idmap_rid' May 30 15:01:22 Cent01 winbind: winbindd startup succeeded " According to the documentation on the samba.org website, this feature should be available since 3.0.8. My feeling is that Red Hat just didn't compile in the idmap_rid. Does the log seems to say that to you as well? If that is the case, is it possible to add that library as some kind of RPM without having to compile samba from source, or is there a RPM that will work on CentOS 4.2 that has idmap_rid? We are going to do this on over 100 boxes, and want the process to be a simple as possible. Sam Adams General Dynamics - Network Systems Phone: 210.536.5945 -----Original Message----- From: samba-bounces+samuel.adams.ctr=brooks.af.mil@lists.samba.org [mailto:samba-bounces+samuel.adams.ctr=brooks.af.mil@lists.samba.org] On Behalf Of Michael Gasch Sent: Tuesday, May 30, 2006 1:27 AM To: Emmanuel Blindauer Cc: samba@lists.samba.org Subject: Re: [Samba] winbind + consistent uid & gid > Putting "idmap backend = idmap_rid:DOMNAME=1000-1000000" in the > smb.conf file seemed promising, but it didn't work for me. that?s not the only thing you have to do please refer to the samba guide about how to setup idmap_rid correctly it?s working for me fine on several servers greez Emmanuel Blindauer wrote:> You'll have to use ldap for storing the mapping > > idmap backend = ldap:ldap://your.ldap.server > > and uses smbpasswd -w to store the pass to access the ldap server > > Emmanuel > > Le Mercredi 24 Mai 2006 17:48, Adams Samuel D Contr AFRL/HEDR a ?crit : >> I am trying to get out Linux boxes to authenticate against our AD >> domain. We have that part working just fine using Kerberos and winbind. >> The problem is when we use NFS on multiple machines. As you could >> guess, the UIDs and GIDs are not consistent across all of the machines. >> From what I have been reading on the internet, this seems to be common >> problem, but all the solutions that I have found don't seem to work for >> me. Putting "idmap backend = idmap_rid:DOMNAME=1000-1000000" in the >> smb.conf file seemed promising, but it didn't work for me. Do you have >> any recommendations to get this to work? It is kind of critical to have >> a distributed file system. It is not an option to modify out AD severs. >> >> >> >> Sam Adams >> >> General Dynamics - Network Systems >> >> Phone: 210.536.5945-- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba