Reece Dike
2009-Mar-10 18:41 UTC
[Samba] Active directory and winbind RID/SID to uid and gid maping across several linux servers
We are using a windows server 2003 active directory as our single sign
on server. I have been able to get our RHEL4U6 servers to authenticate
with active directory.
My concern is that the RID mapping to unix uid/gid range (15000-20000)
is stored locally on each machine in a tdb database. So far all of the
servers have produced the same mapping, but I do not think it is
guarantied. I think the fact that I do a wbinfo -u and wbinfo -g as part
of the setup and there have been no users/groups added to active
directory has made the mappings the same. I know that the uid/gid are
not being store in active directory(I did a 'dsquery * -scope base
-attrib *' on my id in active directory). Is there any way to guaranty
the RID to uid/gid mapping across several servers?
Thanks,
Reece Dike
Here is my smb.conf
[global]
workgroup = MYDOMAIN
server string = Samba Server Version %v
security = ADS
password server = 68.216.162.90
realm = MYDOMAIN.COM
passdb backend = tdbsam
load printers = yes
cups options = raw
template shell = /bin/false
server signing = autos
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum groups = yes
winbind enum users = yes
winbind separator = +
winbind use default domain = no
template homedir = /homes/%D/%U
template shell = /bin/bash
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[usbshare]
comment = Backups and Stuff
path = /usbdrive
valid users = +"MYDOMAIN+Domain Users"
read only = no
Reece Dike
2009-Mar-10 21:44 UTC
[Samba] Active directory and winbind RID/SID to uid and gid maping across several linux servers
Dale, Thanks for the information and the link. We are just now trying to implement this and we have not implemented this on any production servers. I need to talk with my security person to see if we have/planning to have trusted domains. If we do then I will have to go with the ldap/ADS solution that was in the link you gave. Thanks again, Reece Dale Schroeder wrote:> Reece, > > idmap backend = rid:MYDOMAIN=15000-20000 > > will create consistent mappings, _*but*_ be aware that enabling this > parameter will break all your existing mappings, > and you will have to reset permissions on your Redhat servers. > Obviously, this is not desirable on production > systems. However, once this is done, you will continue to have the > same mappings on any existing and > similarly configured future Samba servers. Only you can determine if > it is worth the time and effort to do this. > We have four servers configured this way, and users have the same > uid/gid on each system. > > Comparison of idmap backends: > http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2598850 > > > Dale > > > Reece Dike wrote: >> We are using a windows server 2003 active directory as our single sign >> on server. I have been able to get our RHEL4U6 servers to authenticate >> with active directory. >> >> My concern is that the RID mapping to unix uid/gid range (15000-20000) >> is stored locally on each machine in a tdb database. So far all of the >> servers have produced the same mapping, but I do not think it is >> guarantied. I think the fact that I do a wbinfo -u and wbinfo -g as part >> of the setup and there have been no users/groups added to active >> directory has made the mappings the same. I know that the uid/gid are >> not being store in active directory(I did a 'dsquery * -scope base >> -attrib *' on my id in active directory). Is there any way to guaranty >> the RID to uid/gid mapping across several servers? >> >> >> Thanks, >> Reece Dike >> >> >> >> Here is my smb.conf >> [global] >> workgroup = MYDOMAIN >> server string = Samba Server Version %v >> security = ADS >> password server = 68.216.162.90 >> realm = MYDOMAIN.COM >> passdb backend = tdbsam >> load printers = yes >> cups options = raw >> template shell = /bin/false >> server signing = autos >> idmap uid = 15000-20000 >> idmap gid = 15000-20000 >> winbind enum groups = yes >> winbind enum users = yes >> winbind separator = + >> winbind use default domain = no >> template homedir = /homes/%D/%U >> template shell = /bin/bash >> >> [homes] >> comment = Home Directories >> browseable = no >> writable = yes >> >> [printers] >> comment = All Printers >> path = /var/spool/samba >> browseable = no >> guest ok = no >> writable = no >> printable = yes >> >> [usbshare] >> comment = Backups and Stuff >> path = /usbdrive >> valid users = +"MYDOMAIN+Domain Users" >> read only = no >> >> >> >