Hi,
I'm trying to convert an old system on Solaris 10 that uses the
smbpasswd file authentication method to a system that authenticates
against Active Directory. I've managed to get winbind working but of
course this just allocates UIDs as it sees fit whereas the smbpasswd
file method used the UID from the /etc/passwd file. The user codes on
the Solaris server match the user codes in AD but if I just switch over
to winbind the UIDs will not match. If there were only a small number of
users I could simply change the ownership of the users home directories
to match the winbind allocated UID but unfortunately there are thousands
of users and so this would be a mammoth task. I've has a look at various
bits of documentation but can't get my head around the best strategy.
Has anyone needed to do something similar and if so how did you go about it?
Also the users' home directories are distributed around multiple
directories and I would prefer to continue to use the home directory
information from /etc/passwd as opposed to using "template homedir"
(although I assume that I could leave the directories in place and just
set up links to them). I've had also had a look at the PADL nss_ldap
stuff but can't get it to compile, it seems to be looking for SASL,
would the SASL version on the Sun Freeware site work?
Martin.
Martin Rootes wrote:> Hi, > > I'm trying to convert an old system on Solaris 10 that uses the > smbpasswd file authentication method to a system that authenticates > against Active Directory. I've managed to get winbind working but of > course this just allocates UIDs as it sees fit whereas the smbpasswd > file method used the UID from the /etc/passwd file. The user codes on > the Solaris server match the user codes in AD but if I just switch over > to winbind the UIDs will not match. If there were only a small number of > users I could simply change the ownership of the users home directories > to match the winbind allocated UID but unfortunately there are thousands > of users and so this would be a mammoth task. I've has a look at various > bits of documentation but can't get my head around the best strategy. > Has anyone needed to do something similar and if so how did you go about > it? > > Also the users' home directories are distributed around multiple > directories and I would prefer to continue to use the home directory > information from /etc/passwd as opposed to using "template homedir" > (although I assume that I could leave the directories in place and just > set up links to them). I've had also had a look at the PADL nss_ldap > stuff but can't get it to compile, it seems to be looking for SASL, > would the SASL version on the Sun Freeware site work? >Would not filling out the rfc2307 information in the AD not be the way forward? Then winbind would not be allocating UID's but using what was set in the AD which you could match with your current settings. In addition you could have your home directories wherever you want on a per user basis depending on what you have set in the AD. If you are going to be using AD then it is best not to fight it, and any AD server after 2003 R2 has the rfc2307 scheme extensions activated, you just need to populate the fields. Though I appreciate that sometimes this can be easier said than done if you don't have control over the AD servers. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/15/2011 10:29 AM, Jonathan Buzzard wrote:> > On Tue, 2011-06-14 at 23:41 +0000, Peter Shevchenko wrote: > > [SNIP] > >> I have been working on exactly this problem. I looked into the >> rfc2307scheme extensions and it looked like a lot of trouble. The samba >> HowTo has this to say about it. >> >> "The use of this method is messy. The information provided in the >> following is for guidance only and is very definitely not complete. This >> method does work; it is used in a number of large sites and has an >> acceptable level of performance." see >> samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html > > That is *not* the method I was suggesting to use. I was suggesting using > the idmap_ad backend and winbind directly. No ldap or similar in sight > excepting that AD is ldap. > > This is the configuration that I use in smb.conf > > # deal with NSS and the whole UID/SID id mapping stuff > idmap backend = tdb > idmap uid = 2000000 - 2999999 > idmap gid = 2000000 - 2999999 > idmap config LIFESCI-AD : backend = ad > idmap config LIFESCI-AD : schema_mode = rfc2307 > idmap config LIFESCI-AD : readonly = yes > idmap config LIFESCI-AD : range = 500 - 1999999 > idmap cache time = 120 > idmap negative cache time = 20 > winbind nss info = rfc2307 > winbind expand groups = 2 > winbind nested groups = yes > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > winbind offline logon = false > > With nsswitch.conf looking like > > passwd: files winbind > shadow: files > group: files winbind > > > I would say the documentation on how to get his working is not great, > the biggest stumbling block being the need for the non overlapping range > for the plain tdb backend which is all required despite the fact it is > never used. > > Yes you need to have winbind running at all times for it to work but it > does work. > > > JAB. >The environment I work in did not fully implement the rfc schema. I would use the hash idmap backend: http://www.samba.org/samba/docs/man/manpages-3/idmap_hash.8.html - -- ________ Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk35BYAACgkQup357T5MfTYwFACgtaTV82agesB7NdUOskJJtP3V il8AoIEzjcTbql+mrbqGeprErmJZCN0c =xjsP -----END PGP SIGNATURE-----