Thanks for the answers to those questions. More info/questions below...
Jordan Brown wrote:
A few additional tidbits:
If you can guarantee that for all users and groups the UNIX and AD
names are the same (or that there is no corresponding user/group on
the other side), you can configure Directory based name mapping to use
one of the standard AD attributes, probably sAMAccountName.
sAMAccountName is what the user interface calls the "Pre-Windows 2000
Logon Name".
That's the rub. At the moment the IT run AD database (Win2003R2 with the
integrates SFU schema) has them all the same, but their advice is not to
assume they always will though.
If you cannot guarantee that the UNIX and AD names are the same - if,
for instance, my AD name might be "jordan" while my UNIX name is
"jb1234" - you will need to arrange to put the UNIX name into some AD
attribute. You could perhaps abuse some existing AD attribute for the
purpose, or could add a new attribute to your AD schema. You must
then populate that attribute for all of the users you want mapped.
You *may* be able to use one AD directory for both your UNIX and
Windows name service. To do so will require the optional "Identity
Management for UNIX" component of AD. You will then need to have your
UNIX systems either use the NIS maps exported by the "Server for NIS"
component of AD, or directly use LDAP served by AD. We have not
tested either of these configurations, and the required LDAP
configuration is rather technical.
Given that the IT dept, has the extended W2k3R2 SFU schema installed,
and populated, and the NIS service running, I think that that might be
the smart route to go.
I'm just not sure how where I need to configure the mess of domain/realm
names.
DNS for xyz.COM and CORP.xyz.COM is run by the IT dept, and served by
the W2k3R2 AD servers.
From there they have delegated DNS responsibilities to me for
eng.xyz.COM, and lab.xyz.COM.
All the Windows client machines are in the CORP.xyz.Domain and all the
users login as CORP\username.
So is the right AD domain CORP.xyx.COM? or xyz.COM?
Ditto for the Kerberos realm?
The DNS I run has all my SOlaris and linux machines in 'lab' and 'eng'
DNS subdomains, so naturally I have those domains listed first in the
/etc/resolv.conf config. I read something about needing to put the AD
first in the resolv.conf? is that true?
That will make local DNS lookups pretty inefficient.
Thanks for all your help!
-Kyle
Hope that helps.
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
