Kyle McDonald wrote:
Jordan Brown wrote:
If you can guarantee that for all users and groups the UNIX and AD
names are the same (or that there is no corresponding user/group on
the other side), you can configure Directory based name mapping to use
one of the standard AD attributes, probably sAMAccountName.
sAMAccountName is what the user interface calls the "Pre-Windows 2000
Logon Name".
That's the rub. At the moment the IT run AD database (Win2003R2 with the
integrates SFU schema) has them all the same, but their advice is not to
assume they always will though.
If it were me, I'd make it a rule that the names have to be the same in the
two environments. It'll make life much easier for everybody, and it sounds
like you don't have a legacy of misalignment that you must live with.
You *may* be able to use one AD directory for both your UNIX and
Windows name service. To do so will require the optional "Identity
Management for UNIX" component of AD. You will then need to have your
UNIX systems either use the NIS maps exported by the "Server for NIS"
component of AD, or directly use LDAP served by AD. We have not
tested either of these configurations, and the required LDAP
configuration is rather technical.
Given that the IT dept, has the extended W2k3R2 SFU schema installed,
and populated, and the NIS service running, I think that that might be
the smart route to go.
Note that if you use the same directory for both environments, that ensures
that you use the same names in both environments.
I'm just not sure how where I need to configure the mess of domain/realm
names.
DNS for xyz.COM and CORP.xyz.COM is run by the IT dept, and served by
the W2k3R2 AD servers.
From there they have delegated DNS responsibilities to me for
eng.xyz.COM, and lab.xyz.COM.
All the Windows client machines are in the CORP.xyz.Domain and all the
users login as CORP\username.
So is the right AD domain CORP.xyx.COM? or xyz.COM?
Ditto for the Kerberos realm?
Sorry, I didn't connect the dots between this message and your previous
one, and hadn't realized you were the guy with the "split" environment.
I am not completely sure, but I think you want to do something along these
lines:
- Add eng.xyz.com and lab.xyz.com as new domains in the same forest as
corp.xyz.com. (You might make them all subdomains of xyz.com, but I don't
think it's required.)
- Have your Solaris system join whatever domain you want it to be in,
probably either eng.xyz.com or lab.xyz.com. This should match where the
system appears in DNS.
- Continue to copy NIS maps from corp.xyz.com and publish them (updated as
required) in your local NIS domain.
Net, you'll be autonomous for NIS purposes - you can do whatever you like
to the maps - but for AD purposes you will be close personal friends with
corp.xyz.com and CORP\username users will be able to log in through CIFS.
The DNS I run has all my SOlaris and linux machines in 'lab' and 'eng'
DNS subdomains, so naturally I have those domains listed first in the
/etc/resolv.conf config. I read something about needing to put the AD
first in the resolv.conf? is that true?
That will make local DNS lookups pretty inefficient.
Do you mean the domain search list, or the servers?
I don't think the search list matters here. Put whatever in your search
list will make life easier for you.
In a sense, the server list shouldn't matter. All servers should be able
to resolve all requests, either because they know the answer or because
they can figure out who to ask.
If your servers are *not* all capable of answering all questions - for
instance, for some purposes my test systems live in a DNS domain that our
IT organization doesn't know about, and so queries about them need to go to
my DNS servers and not the IT DNS servers - then you need to ensure that
your resolv.conf lists *only* the servers that know about your domains. It
would be bad if you had some servers in the list that could answer a
particular question and some that could not; you could see intermittent
failures depending on which servers are up at any given moment.
Unless the other DNS servers are on the other side of the world, I wouldn't
really worry about efficiency. DNS queries are pretty fast and light.
Even if the servers *are* on the other side of the world, I wouldn't be
very concerned; Solaris caches name service lookups and so you shouldn't
see much cost anyway.
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
