samba - May 2005 - New ADS infrastructure with winbind - Which is the best ID-mapping: IDMAP_RID or IDMAP LDAP with ADS + SFU schema ?

A question for the best winbind SID-UID/GID mapping in our situation:

I'm building a new infrastructure with Windows 2003SP1 ADS 
Domaincontrollers and some Debian Servers (File: Samba+NFS; Mail; Web; 
....) and varios XP and Debian Clients.

After reading Chapter 12. (Identity Mapping) in the Samba-HOWTO is 
IDMAP_RID in couple with winbind an easy way to solve the problem with 
syncr. SID-UID/GID's on all Linux machines.
Why should I use the "hard way" with the MS SFU 3.5 Schema extensions,
PADL and so on - when IDMAP_RID seems to be so easy?

Can anybody tell me something about the "deeper backgrounds" and which
of both ist the best solution for us?

Thanks and Best regards
Steffen

-- 


Mit freundlichen Gruessen

Steffen Kolbe
Andreas-Schubert-Str. 23
D-01062 Dresden
------------------------------------------------------
Phone: +49/0 351 463-36750
Fax: +49/0 351 463-36809
e-mail: kolbe@vwi.tu-dresden.de
------------------------------------------------------
Institut fuer Wirtschaft und Verkehr
Fakultaet Verkehrswissenschaften "Friedrich List"
Technische Universitaet Dresden
------------------------------------------------------

Steffen Kolbe wrote:
> A question for the best winbind SID-UID/GID mapping in our situation:
>
> I'm building a new infrastructure with Windows 2003SP1 ADS 
> Domaincontrollers and some Debian Servers (File: Samba+NFS; Mail; Web; 
> ....) and varios XP and Debian Clients.
>
> After reading Chapter 12. (Identity Mapping) in the Samba-HOWTO is 
> IDMAP_RID in couple with winbind an easy way to solve the problem with 
> syncr. SID-UID/GID's on all Linux machines.
> Why should I use the "hard way" with the MS SFU 3.5 Schema
extensions,
> PADL and so on - when IDMAP_RID seems to be so easy?
>
> Can anybody tell me something about the "deeper backgrounds" and
which
> of both ist the best solution for us?
If you have an existing base of unix uid/gid accounts to maintain, 
consider the mapping capabilities of SFU 3.5 and padl idmap_ad.
If there is no existing base of unix uid/gid accounts, consider IDMAP_RID.

Regards, Doug

Steffen Kolbe wrote:
> Doug VanLeuven wrote:
>
>> Steffen Kolbe wrote:
>>
>>> A question for the best winbind SID-UID/GID mapping in our
situation:
>>>
>>> I'm building a new infrastructure with Windows 2003SP1 ADS 
>>> Domaincontrollers and some Debian Servers (File: Samba+NFS; Mail; 
>>> Web; ....) and varios XP and Debian Clients.
>>>
>>> After reading Chapter 12. (Identity Mapping) in the Samba-HOWTO is 
>>> IDMAP_RID in couple with winbind an easy way to solve the problem 
>>> with syncr. SID-UID/GID's on all Linux machines.
>>> Why should I use the "hard way" with the MS SFU 3.5
Schema
>>> extensions, PADL and so on - when IDMAP_RID seems to be so easy?
>>>
>>> Can anybody tell me something about the "deeper
backgrounds" and
>>> which of both ist the best solution for us?
>>
>>
>>
>> If you have an existing base of unix uid/gid accounts to maintain, 
>> consider the mapping capabilities of SFU 3.5 and padl idmap_ad.
>> If there is no existing base of unix uid/gid accounts, consider 
>> IDMAP_RID.
>>
>> Regards, Doug
>>
> Hello Doug,
>
> thanks for your quick answer.
> 1. When I understand the IDMAP_RID solution, local SID-UID/UID 
> mapping  is on every machine the same. After a crash can I copy the 
> mapping table between all linux machines or are their some differences?
> 2. Do you now something about the speed with IDMAP_RID?  Now we have 
> round about 500 users in 4 year we have ~3000.
> 3. In Windows Invironments it's normal to work with groups in groups - 
> Linux (by natural) don't now them. Understand Samba/Winbind this 
> mapping from ADS or should I do only users in groups?
>
> Thanks and best regards from germany.
> Steffen
Hi Steffen,
I had an existing base of users so I had to implement the MS SFU style 
SID to uid/gid mapping, so I have no direct experience with IDMAP_RID.
But as I understand it:
1. You could take an initial linux installation and providing smb.conf 
and the add user/group scripts are identical, one doesn't need to copy 
any mapping tables.  The map is in smb.conf.  Everything else would be 
created on the fly on first use.
2. As far as speed, we all wait on the domain controller for the initial 
SID.  With IDMAP_RID, once the SID is available, the mapping is local, 
so I can't imagine anything being faster.  The padl solution requires 
another query of the domain controller.  The samba-HOWTO makes a valid 
point about enumeration with large numbers of AD users - turn off 
enumeration
3. The samba-HOWTO lists "winbind nested groups = yes" so it must be 
true.  I haven't had a need to nest groups yet.

My only personal change to the samba-HOWTO is that, for nsswitch.conf 
configuration, I prefer compat instead of files for authentication and I 
think dns should be included in the hosts list.  It can be argued that a 
correctly configured AD domain gets everything from DNS and that winbind 
name lookups aren't necessary, and that if they are, something is wrong 
with the DNS.

passwd:     compat winbind
shadow:     compat winbind
group:     compat winbind
hosts:      files dns winbind

Regards, Doug

Steffen Kolbe wrote:
> interesting to talk with an insider..... ;-)
Nope.  I feel like an outsider :-)
> .... sorry, my english ist not the best... :-)
>
> 1. What is "nestet groups" ? Means it to work with groups in
groups?
"winbind nested groups". Right.  Groups in groups.
> 2. What the enumeration makes?
Enumeration is a query for every user or group the AD knows about.
> 3. Do you have any ideas for linux notebooks? At the moment (in our 
> old environment) we use ADS+SFU with the NIS-feature. On every 
> notebook works a NIS Slave, so every Notebook user can also work 
> offline. But whats with a winbind notebook, when the ADS is not 
> available?
> found at the PADL-Homepage, that a software called  nss_updatedb and 
> pam_ccreds is the solution with the SFU-schema in offline situations 
> (caching).
Someone else will need to answer this.  We still use NIS at the native 
authentication level.  Or flat file accounts for non-network access.  I 
hate being dependent on one auth mechanism.  Fallbacks to fallbacks.
> 4. The solution with the SFU schema works fine in your environment or 
> do you have probs?
Works OK.  Use it both ways.  Windows serves NFS shares too, with simple 
name maps.
> How many users work with this?
Only 200.
> Do you had trouble with the installation or works this so easy like in 
> the HOWTO ? ;-)      And do you to hack for correct working (after 
> instalation)?
Using current Kerberos and LDAP versions was the only issue.  The work 
of Jeremy Allison on Kerberos and what others on the samba team have 
done to work with MS AD is simply fantastic.  I should say PFM.
>
> Thanks and regards
> Steffen
>
Good luck.  Doug