Hi all,
I'm making my way through the 'CIFS Administration Guide", and the
"SystemAdministration Guide: Naming and Directory Services (DNS, NIS,
and LDAP)" and my head is swimming.
I'll admit that I don't know that much about Windows/AD.
If anyone has the time to read all this, I'd love to hear suggestions,
or pro and cons of the 2 ideas I list below.
Background:
I need to setup several ZFS file servers to mainly share NFS to Solaris
and Linux Clients, but there is also a need for CIFS access to many of
the files.
The IT group here maintains an AD server for either xyz.com or
CORP.xyz.com ( I'm not sure - All the machines and users belong to the
CORP windows domain.) The AD servers they use have the newer bundled
versions of 'Services For Unix' installed, and the AD schema has been
expanded to include the traditional UNIX information:
$ ldapsearch -LLL -H 'ldaps://dc1.CORP.xyz.com/' -b
'dc=corp,dc=xyz,dc=com' -D '[email protected]' -xW
'samaccountname=user2' uid uidNumber gidNumber unixHomeDirectory
loginShell msSFU30NisDomain msSFU30PosixMemberOf
dn: CN=User\, 2,OU=All Users,DC=corp,DC=xyz,DC=com
uid: user2
msSFU30NisDomain: corp
msSFU30PosixMemberOf: CN=software,OU=nis,DC=corp,DC=xyz,DC=com
msSFU30PosixMemberOf: CN=eng,OU=Distribution Groups,DC=corp,DC=xyz,DC=com
uidNumber: 1234
gidNumber: 1001
unixHomeDirectory: /home/user2
loginShell: /bin/sh
IT and I have successfully delegated 2 DNS domains to other non-AD DNS
servers in the company. I manage one of these new DNS subdomains
'eng.xyz.com'. I have BIND on Solaris serving this domain nicely.
I have in the past setup automated merging of the password and group
info from the 'corp' NIS domain into my own 'eng' NIS domain. I created
my own NIS domain in order to have local control over the Automount
maps, and a few other local grown NIS maps that are used by other
scripts and tools I've written.
So given that, I see basically 2 choices, one of which I'm not sure will
work, but might be easier if it will. The second of which is
probably the smarter move, but will need more research, learning, and
convincing of others that it's a good idea:
Idea 1 - Stick with NIS.
* Linux and Solaris NFS clients all continue to bind to the 'eng' NIS
domain, which is already kept in sync with the CORP one.
* NFS/CIFS Servers get configured how?
- WildCard rule based mapping locally on each server:
Should work since the AD->NIS syncing should keep the
usernames in sync?
- Directory based mapping:
Should I have the server use AD(LDAP?) name service locally?
or leave the nsswitch.conf set for NIS?
Idea 2 - Switch to LDAP.
* Replace eng NIS servers with local LDAP servers. Populate my
automount and other LDAP "tables" locally, setup refferals (I think
that's what they're called) so that Password and Group lookup 'fall
through' to the AD LDAP servers.
* Configure all Linux and Solaris NFS clients to use LDAP and direct
them to the new Solaris based LDAP servers.
* NFS/CIFS Servers get configured how?
- WildCard based rule mapping?
- Directory based mapping?
Questions::
1) I think I'm still not clear on the difference between having a
Solaris server "Join" an AD domain, and just setting it to use the LDAP
name service from an LDAP server that happens to be running Windows/AD?
2) Given that the directory appears to have the mapping info in place,
I'm inclined to use directory based mapping. If I do,
"joining" the domain is only required for the NFS/CIFS servers correct?
3) Does Rule based mapping still require joining the AD Domain?
4) Can a host in the 'eng' DNS subdomain join the 'CORP' AD domain?
(Given how the resolv.conf works I don't think so.)
5) How would using 'Work Group' mode instead of joing the domain change
things?
6) Any other tips and/or suggestions?
Thanks in advance!
-Kyle
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
