Hi list, I'm looking for someone out there, using samba as a member server in a multi-domain Active Directory forest (maybe even with nss_/pam_winbind for unix users/groups). It took quite a long time to get things working at all here, and we're still not really comfortable with our current solution (especially the unix nss/pam part). I'd be glad if someone out there was interested in exchanging information on that topic. So please don't hesitate to contact me, if you are :) Bye, Marcel
On 24/05/12 10:06, Marcel Ritter wrote:> Hi list, > > I'm looking for someone out there, using samba as a member > server in a multi-domain Active Directory forest (maybe even > with nss_/pam_winbind for unix users/groups). > > It took quite a long time to get things working at all here, and we're > still not really comfortable with our current solution (especially > the unix nss/pam part). > > I'd be glad if someone out there was interested in exchanging > information on that topic. > So please don't hesitate to contact me, if you are :) > > Bye, > MarcelHi Marcel Not as part of a multi domain no but we have bypassed winbind in favour of storing attributes in the directory instead of an external winbind mapping. It works fine using nss-pam-ldapd (I think this is libnss-ldapd and libpam-ldapd on Debian). It not officially supported but it works a treat. http://linuxcostablanca.blogspot.com.es/p/s4bind.html Cheers and hth a bit with your nss qn. Steve
Il 25/05/2012 09:57, Marcel Ritter ha scritto:> our setup looks much like yours: > One domain "FAUAD" containing all our users, and several > domains containing computer objects (and maybe "local" users). > > To prevent inconsistencies in user/group membership, we'd like > to use nss/pam winbind on the unix side to get users/groups out > of our AD.Add winbind to /etc/nss.conf (passwd and group lines). Then use idmap rid for the domains you're interested in (and tdb fot eventual others): idmap backend = tdb idmap uid = 10000-99999 idmap gid = 10000-99999 idmap config PERSONALE:backend = rid idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:range = 100000 - 49999999 idmap config STUDENTI:backend = rid idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:range = 50000000 - 99999999 Users and groups in PERSONALE and STUDENTI are consistent across all servers, while other domains receive "first come first served" ids.> However for most purposes it'd be nice to only get the short user > names ("user" instead of "FAUAD+user") for all domains (or at > least for a selectable domain). AFAIK the "default domain" is the > one the computer object is created in (in our case this is *not* the > one containing the user objects). > > I haven't found an option to specify this "default domain" without > changing the domain location of the computer object.Neither did I. I tried really hard with: idmap domains = PERSONALE STUDENTI idmap config PERSONALE:default = no idmap config STUDENTI:default = yes To make 'STUDENTI' the default domain while the server is joined to 'PERSONALE', but it didn't work. Maybe someone have a clue.> Any idea about how to solve this is welcome :-)I'm in the dark like you :( BYtE, Diego.