Steven Sim wrote:
I've been trying to configure SAMBA 4 on opensolaris snv_128a with ZFS
and while reading discovered the in built ZFS CIFS facility.
It's wonderful but may I know whether it's possible in any way to
emulate a Windows PDC using the CIFS services alone without additional
SAMBA software?
Like Windows LOGON BAT scripts etc...
No. Solaris CIFS provides only file service support; it does not provide
any domain controller support.
I've also a question with regards to CIFS idmap and LDAP services.
Would a normal Solaris complaint LDAP NSS schema be sufficient to
integrate Solaris UID/GID with additional entries for Windows SIDs?
No. You must provide additional attributes that specify the Windows name
that corresponds to a particular UNIX user.
From
http://dlc.sun.com/osol/docs/content/SSMBAG/mapusergroupidentities.html
it states ..
"*Directory-based mapping.* If configured, idmapd first tries to use
name mapping information that is stored in user or group objects in the
Active Directory (AD), in the native LDAP directory service, or in both.
For instance, an AD object for a particular Windows user or group can be
augmented to include the corresponding Solaris user or group name.
/_*Similarly, the native LDAP object for a particular Solaris user or
group can be augmented*_/ to include the corresponding Windows user or
group name."
How does one go about "augmenting" the native LDAP object?
See the companion task map:
http://dlc.sun.com/osol/docs/content/SSMBAG/managedirbasedusergroupmapstm.html
Unfortunately, it has the two strategies (augmenting AD and augmenting
native LDAP) interwoven; you will need to untwine them.
I can easily setup Sun DSEE to act as a user/group naming service for a
Opensolaris server but would this be enough to accomodate the
"corresponding Windows user or group name"?
You must add attributes to your LDAP schema, populate them with the
corresponding Windows u...@domain values, and configure idmap to use the
newly added attributes.
I should note that we're trying to make the whole identity mapping picture
simpler, and this "native LDAP" mapping scheme is one of the things that
we're thinking of removing as adding more complexity than value. I would
encourage you to look into other approaches - in particular, look at
Microsoft's Identity Mapping for UNIX (IDMU), which lets you specify UIDs
in your Active Directory data. Configured properly, you should be able to
serve both your UNIX and Windows directory needs out of a single Active
Directory installation.
This decision has not yet been made, and so if the "native LDAP" mapping
scheme is uniquely suited to your needs we'd be interested in your input on
the question.
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
