Quantcast

Winbind & user ID's on multiple servers

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Winbind & user ID's on multiple servers

Mike Auleta
We're looking at setting up Linux Authentication to our AD servers using
winbind and need to know if there is a way to keep all the user IDs in
sync across the Linux servers.  The way I see it now, the user ID is
assigned numerically depending on the order users log in to a server.
Could make for issues if NFS mounted directories are involved.

Thanks -

Mike




------------------------------------------------------------------------------------------------
This e-mail, including attachments, is intended for the person(s)
or company named and may contain confidential and/or legally
privileged information. Unauthorized disclosure, copying or use of
this information may be unlawful and is prohibited. If you are not
the intended recipient, please delete this message and notify the
sender.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Winbind & user ID's on multiple servers

Javier Conti
On 9 March 2011 20:13, Mike Auleta <[hidden email]> wrote:
> We're looking at setting up Linux Authentication to our AD servers using
> winbind and need to know if there is a way to keep all the user IDs in
> sync across the Linux servers.  The way I see it now, the user ID is
> assigned numerically depending on the order users log in to a server.
> Could make for issues if NFS mounted directories are involved.

Hi, I'm using AD 2008 R2 as PDC, and have been successful using the
following configuration in /etc/samba/smb.conf on the client:

[global]
        workgroup = MYDOMAIN
        realm = DNSDOMAIN
        security = ADS
        idmap backend = ad
        idmap config MYDOMAIN : backend = ad
        idmap config MYDOMAIN : range = 10000 - 20000
        idmap config MYDOMAIN : schema_mode = rfc2307
        winbind nss info = rfc2307

Since this configuration uses the Posix attributes found in the
rfc2307 schema, I have the uidNumber attribute of users and the
gidNumber attribute of groups populated with the IDs used in Unix (and
in the range between 10000 and 20000).

Hope this helps, Jaiver

>
> Thanks -
>
> Mike
>
>
>
>
> ------------------------------------------------------------------------------------------------
> This e-mail, including attachments, is intended for the person(s)
> or company named and may contain confidential and/or legally
> privileged information. Unauthorized disclosure, copying or use of
> this information may be unlawful and is prohibited. If you are not
> the intended recipient, please delete this message and notify the
> sender.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Winbind & user ID's on multiple servers

TAKAHASHI Motonobu-2
2011/3/10 Javier Conti <[hidden email]>:

> On 9 March 2011 20:13, Mike Auleta <[hidden email]> wrote:
>> We're looking at setting up Linux Authentication to our AD servers using
>> winbind and need to know if there is a way to keep all the user IDs in
>> sync across the Linux servers.  The way I see it now, the user ID is
>> assigned numerically depending on the order users log in to a server.
>> Could make for issues if NFS mounted directories are involved.
>
> Hi, I'm using AD 2008 R2 as PDC, and have been successful using the
> following configuration in /etc/samba/smb.conf on the client:
>
> [global]
(snip)

>        idmap backend = ad
>        idmap config MYDOMAIN : backend = ad
>        idmap config MYDOMAIN : range = 10000 - 20000
>        idmap config MYDOMAIN : schema_mode = rfc2307
>        winbind nss info = rfc2307
>
> Since this configuration uses the Posix attributes found in the
> rfc2307 schema, I have the uidNumber attribute of users and the
> gidNumber attribute of groups populated with the IDs used in Unix (and
> in the range between 10000 and 20000).

"idmap backend" should be a "writeable" backend such as tdb or ldap.

Anyway, to synclonize UID, you can also use "rid" or "ldap" instead of "ad".
If you simply want to sync UIDs, "rid" is a better choice, I think.
For example:

idmap config DOMAIN:range = 1000000 - 1999999
idmap config DOMAIN:base_rid = 0
idmap config DOMAIN:backend = rid

Please refer to manpages in the detail.

---
TAKAHASHI Motonobu <[hidden email]>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Winbind & user ID's on multiple servers

Javier Conti
On Mar 10, 2011 12:16 AM, "TAKAHASHI Motonobu" <[hidden email]> wrote:
>
> 2011/3/10 Javier Conti <[hidden email]>:
> > On 9 March 2011 20:13, Mike Auleta <[hidden email]> wrote:
> >> We're looking at setting up Linux Authentication to our AD servers
using

> >> winbind and need to know if there is a way to keep all the user IDs in
> >> sync across the Linux servers.  The way I see it now, the user ID is
> >> assigned numerically depending on the order users log in to a server.
> >> Could make for issues if NFS mounted directories are involved.
> >
> > Hi, I'm using AD 2008 R2 as PDC, and have been successful using the
> > following configuration in /etc/samba/smb.conf on the client:
> >
> > [global]
> (snip)
> >        idmap backend = ad
> >        idmap config MYDOMAIN : backend = ad
> >        idmap config MYDOMAIN : range = 10000 - 20000
> >        idmap config MYDOMAIN : schema_mode = rfc2307
> >        winbind nss info = rfc2307
> >
> > Since this configuration uses the Posix attributes found in the
> > rfc2307 schema, I have the uidNumber attribute of users and the
> > gidNumber attribute of groups populated with the IDs used in Unix (and
> > in the range between 10000 and 20000).
>
> "idmap backend" should be a "writeable" backend such as tdb or ldap.

If someone manages user and groups on the AD, thus assigning uidNumbers and
gidNumbers on it, is it still necessary (or a real advantage) for the idmap
backend to be writeable?

Just wondering... Javier

>
> Anyway, to synclonize UID, you can also use "rid" or "ldap" instead of
"ad".

> If you simply want to sync UIDs, "rid" is a better choice, I think.
> For example:
>
> idmap config DOMAIN:range = 1000000 - 1999999
> idmap config DOMAIN:base_rid = 0
> idmap config DOMAIN:backend = rid
>
> Please refer to manpages in the detail.
>
> ---
> TAKAHASHI Motonobu <[hidden email]>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Winbind & user ID's on multiple servers

Andrew Masterson
> -----Original Message-----
> From: [hidden email]
[mailto:[hidden email]]
> On Behalf Of Javier Conti
> Sent: Wednesday, March 09, 2011 4:28 PM
> To: TAKAHASHI Motonobu
> Cc: [hidden email]; Mike Auleta
> Subject: Re: [Samba] Winbind & user ID's on multiple servers
>
> On Mar 10, 2011 12:16 AM, "TAKAHASHI Motonobu" <[hidden email]>
wrote:
> >
> > 2011/3/10 Javier Conti <[hidden email]>:
> > > On 9 March 2011 20:13, Mike Auleta <[hidden email]>
wrote:
> > >> We're looking at setting up Linux Authentication to our AD
servers
> using
> > >> winbind and need to know if there is a way to keep all the user
IDs in
> > >> sync across the Linux servers.  The way I see it now, the user ID
is
> > >> assigned numerically depending on the order users log in to a
server.
> > >> Could make for issues if NFS mounted directories are involved.
> > >
> > > Hi, I'm using AD 2008 R2 as PDC, and have been successful using
the

> > > following configuration in /etc/samba/smb.conf on the client:
> > >
> > > [global]
> > (snip)
> > >        idmap backend = ad
> > >        idmap config MYDOMAIN : backend = ad
> > >        idmap config MYDOMAIN : range = 10000 - 20000
> > >        idmap config MYDOMAIN : schema_mode = rfc2307
> > >        winbind nss info = rfc2307
> > >
> > > Since this configuration uses the Posix attributes found in the
> > > rfc2307 schema, I have the uidNumber attribute of users and the
> > > gidNumber attribute of groups populated with the IDs used in Unix
(and
> > > in the range between 10000 and 20000).
> >
> > "idmap backend" should be a "writeable" backend such as tdb or ldap.
>
> If someone manages user and groups on the AD, thus assigning
uidNumbers and
> gidNumbers on it, is it still necessary (or a real advantage) for the
idmap
> backend to be writeable?
>
> Just wondering... Javier
>
> >
> > Anyway, to synclonize UID, you can also use "rid" or "ldap" instead
of

> "ad".
> > If you simply want to sync UIDs, "rid" is a better choice, I think.
> > For example:
> >
> > idmap config DOMAIN:range = 1000000 - 1999999
> > idmap config DOMAIN:base_rid = 0
> > idmap config DOMAIN:backend = rid
> >
> > Please refer to manpages in the detail.
> >


This is why, if you have a single domain and no weird setup, RID mapping
is best.  You get consistent mapping across all domain member servers
and it's easy to port stuff around.  I messed around with the other
stuff and SFU, but RID is the easiest by far.

-=Andrew
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Winbind & user ID's on multiple servers

Mike Auleta
This addressed exactly what I was trying to accomplish.  Rid mapping is
your friend for this.

-----Original Message-----
From: Andrew Masterson [mailto:[hidden email]]
Sent: Thursday, March 10, 2011 1:54 PM
To: Javier Conti
Cc: [hidden email]; Auleta, Michael
Subject: RE: [Samba] Winbind & user ID's on multiple servers

> -----Original Message-----
> From: [hidden email]
[mailto:[hidden email]]
> On Behalf Of Javier Conti
> Sent: Wednesday, March 09, 2011 4:28 PM
> To: TAKAHASHI Motonobu
> Cc: [hidden email]; Mike Auleta
> Subject: Re: [Samba] Winbind & user ID's on multiple servers
>
> On Mar 10, 2011 12:16 AM, "TAKAHASHI Motonobu" <[hidden email]>
wrote:
> >
> > 2011/3/10 Javier Conti <[hidden email]>:
> > > On 9 March 2011 20:13, Mike Auleta <[hidden email]>
wrote:
> > >> We're looking at setting up Linux Authentication to our AD
servers
> using
> > >> winbind and need to know if there is a way to keep all the user
IDs in
> > >> sync across the Linux servers.  The way I see it now, the user ID
is
> > >> assigned numerically depending on the order users log in to a
server.
> > >> Could make for issues if NFS mounted directories are involved.
> > >
> > > Hi, I'm using AD 2008 R2 as PDC, and have been successful using
the

> > > following configuration in /etc/samba/smb.conf on the client:
> > >
> > > [global]
> > (snip)
> > >        idmap backend = ad
> > >        idmap config MYDOMAIN : backend = ad
> > >        idmap config MYDOMAIN : range = 10000 - 20000
> > >        idmap config MYDOMAIN : schema_mode = rfc2307
> > >        winbind nss info = rfc2307
> > >
> > > Since this configuration uses the Posix attributes found in the
> > > rfc2307 schema, I have the uidNumber attribute of users and the
> > > gidNumber attribute of groups populated with the IDs used in Unix
(and
> > > in the range between 10000 and 20000).
> >
> > "idmap backend" should be a "writeable" backend such as tdb or ldap.
>
> If someone manages user and groups on the AD, thus assigning
uidNumbers and
> gidNumbers on it, is it still necessary (or a real advantage) for the
idmap
> backend to be writeable?
>
> Just wondering... Javier
>
> >
> > Anyway, to synclonize UID, you can also use "rid" or "ldap" instead
of

> "ad".
> > If you simply want to sync UIDs, "rid" is a better choice, I think.
> > For example:
> >
> > idmap config DOMAIN:range = 1000000 - 1999999
> > idmap config DOMAIN:base_rid = 0
> > idmap config DOMAIN:backend = rid
> >
> > Please refer to manpages in the detail.
> >


This is why, if you have a single domain and no weird setup, RID mapping
is best.  You get consistent mapping across all domain member servers
and it's easy to port stuff around.  I messed around with the other
stuff and SFU, but RID is the easiest by far.

-=Andrew
------------------------------------------------------------------------------------------------
This e-mail, including attachments, is intended for the person(s)
or company named and may contain confidential and/or legally
privileged information. Unauthorized disclosure, copying or use of
this information may be unlawful and is prohibited. If you are not
the intended recipient, please delete this message and notify the
sender.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...