-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi All,
I've been playing with Samba 4.0.x in the lab for about a week or so,
and have figured out a reasonable portion of the required settings to
also use the AD server as a Unix server. I do have some additional
questions regarding scaling that I have not found the answers to. I'm
hoping you good folks can steer me in the right direction, or confirm my
ideas of how this whole AD Controller thing works...
I'm using winbind for Unix authentication via PAM, and have configured
NSS to use winbind for passwd and group enumeration. Took me quite a
while to figure out that users would need to auth into kerberos before
winbind would return info to NSS. Someone might want to update the wiki
on that... I do have some questions though regarding winbind and idmaps
in 4.0.5:
We currently deploy OpenLDAP as our core user management platform. This
has allowed us to avoid the need for winbind and the whole 3.x issue of
idmaps varying between our Linux systems. I've been trying to figure out
if the whole idmap sync issue is solved in 4.0.x? Can I just use the
default smb.conf generated settings for winbind and idmap and still have
consistent mappings between different hosts? If not, how can I
accomplish this in 4.0.x?
One other thing I noticed, was that when the Windows AD tools are used
to create a user and home directory, the permissions are a bit funky...
If a user logs into the system via ssh or at the console, then are
unable to create files in their home directory. I resolved this by
setting the ACLs in the home root to give the desired permissions when
the user first logs in via console or ssh, but if the directory is
created by the Windows GUI, it basically locks out writes for the user
in their own home directory in a shell. Is their any plan to correct
this in future releases?
That's it for now, I'm sure the answers will bring me back with more
questions.
Thanks to all who will respond...
Stu
Stuart Sheldon
ACT USA
- --
"Sometimes I lie awake at night and I ask, "Why me?", then a
voice
answers "Nothing personal, your name just happened to come up."
-- Charles M. Schulz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJRaCreAAoJEFKVLITDJSGSZ6cQAIrdUt/k47ZkKN1QWOi15I9n
+/WHVgeBxS77xcWT1AcHTuexYbfrpaNICE947CJkSqVokG1utoNdrX2VZNMC88QK
puvqGi2fo87IU8uxcUKGI9MD5+3fJzQ00JOMiSQQ4AuwCR+k6yAaCttdaVXY4Q1x
dY0ieYsuzzwrk/RpYMuMOLAhBTnXL6d4Eznlt+f43cxK3hD6LAjjMDLj6jabIHRc
BUk+6iUnSdNodMhC8VnuTtGif04J+W4POuONwQLCWfDm5RV2ohKnECjsicogOovB
eejxIa8QRYtDCzq7F95lntR8pk5TsamRuOvTw8luIHpoZ1txHJlhFRd72ecHdbnt
R5dHwk8W7UOkwIrQ663gI2OT8XFywSqNzMY2MEc3YyOeaWU3mC0qIWJakTxBdAHn
BMwV3rQijxCZvCAWDfUh8Bxw534fl9S1q2rxFK0AWB1tKr3ksy0GHQIu2zCQGD7E
ilfd8/wx4Ganq4jgCX+INui6DmF7by8y5LGF28Iaaf/t24SNESu5oX/GSMFfK2Sg
kB66J5GJbglBPw+aovI9yXClOP4CZNOI4n2xI2KpLRJ0b2X3lZZDmXExdgLFLWyp
RUFtBewgEb2it419qKSwbxFx1MU4OwlCbv7rez9fxr+r5Ii5WnAADwnSW/rYC97B
HwU0k6xly5I2+IH5x7aT
=1zJt
-----END PGP SIGNATURE-----
On Fri, 2013-04-12 at 08:40 -0700, Stuart Sheldon wrote:> Hi All, > > I've been playing with Samba 4.0.x in the lab for about a week or so, > and have figured out a reasonable portion of the required settings to > also use the AD server as a Unix server. I do have some additional > questions regarding scaling that I have not found the answers to. I'm > hoping you good folks can steer me in the right direction, or confirm my > ideas of how this whole AD Controller thing works... > > I'm using winbind for Unix authentication via PAM, and have configured > NSS to use winbind for passwd and group enumeration. Took me quite a > while to figure out that users would need to auth into kerberos before > winbind would return info to NSS. Someone might want to update the wiki > on that...That doens't sound right. The user information can be obtained, but it certainly is faster and more effective when we have the PAC cached.> I do have some questions though regarding winbind and idmaps > in 4.0.5: > > We currently deploy OpenLDAP as our core user management platform. This > has allowed us to avoid the need for winbind and the whole 3.x issue of > idmaps varying between our Linux systems. I've been trying to figure out > if the whole idmap sync issue is solved in 4.0.x? Can I just use the > default smb.conf generated settings for winbind and idmap and still have > consistent mappings between different hosts? If not, how can I > accomplish this in 4.0.x?If you have an existing OpenLDAP system, and are using Samba 3.x, do you have an existing Samba 3.x 'classic' domain? If so, then the samba-tool domain classicupgrde command will import those existing id mappings into our AD database, and set the smb.conf option to use it. You can then configure Samba winbind clients to also use that rfc2307 configuration, using idmap_ad. You will need to set any uid/gid values you wish to be consistent across your domain manually, as we do not have a distributed allocator for those. Any values not set in the directory will be set in idmap.ldb on each DC, and may differ between DCs (and potentially clients). I hope this clarifies things for you, or gives you somewhere to sart your research. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org