[COLUG] Samba3 + ActiveDirectory

Scott Merrill skippy at skippy.net
Wed Aug 16 15:36:17 EDT 2006 

Dane Miller wrote:
> Scott Merrill wrote:
>> Samba3 supports several different mechanisms to map Windows SIDs to
>> Linux UIDs and GIDs.  Of the options available to me, I would
>> _greatly_ prefer to use the idmap_rid plugin:
> 
> Hi Scott.  I'm interested in your setup... Why do you prefer idmap_rid
> over native winbind (i.e., why do you need predictable SID->UID/GID
> mapping?)

My (desired) setup is this:
* Active Directory for user and machine accounts (this happens whether I 
desire it or not ;) )
* Linux machines join AD domain
* Linux machines mount a centralized home directory share from somewhere

In addition to single-sign-on, we also want to have a _single_ home 
directory for each user, regardless of whether they log in from a 
Windows or a Linux machine.

In order to ensure permissions are applied properly on the home 
directories, it is my understanding that the UIDs on the Linux machines 
be the same every time, regardless of which particular Linux machine 
they're using: so user "skippy" has the same UID on every machine on 
which he might log in.  If I am in error on this, do please let me know 
as things would probably be greatly simplified.

This link:
http://thelazyadmin.com/index.php?/archives/383-LinuxUnix-Active-Directory-Authentication-Integration-Part-2.html
shows some of the ways to handle the SID<->UID mapping.

This page:
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/e
shows how to handle this with Windows Server 2003 R2, which includes the 
extended schema (which means I wouldn't need to extend the schema 
myself).  Because the schema is already extended, one can use the AD 
server as the LDAP repository for the mapping information.

I would have preferred to use the idmap_rip plugin because it seems to 
have _considerably_ lower overhead: a single configuration line in the 
smb.conf file, no LDAP, no fooling around with the AD server, etc etc.

I don't want to create another LDAP server if I don't need to, so I'm 
now going to begin testing using the AD server as the LDAP repository, 
as documented in the second link above.

-- 
skippy at skippy.net | http://skippy.net/

gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49  3544 476A 7DEC 9CFA 4B35

More information about the colug432 mailing list