Mr. Brown;
Thanks for your swift, to the point and very effective reply!
Firstly, please forgive me if my statements below do not make any
sense. My superficial understanding of the technology may lead me to
state things which are foolish and irrelevant.
Bear with me.
I am seeking to craft a solution with the following features and
properties;
- Windows PDC or AD Emulation with replication across CIFS server
boxes.
- Windows client domain logon with DOS BATCH scripts
- Synergy between Windows user logon and Unix users
- ZFS constant time rotational snapshots (I've crafted a script for
this so this is done).
- Roll back feature with Windows "Previous Version" tab. (Current
ZFS CIFS Service does this very well with ZFS snapshots!). Awesome work
by your team!
- Dedup ( > snv_128a)
- Dedup replication (not yet tested but theoretically possible with
zfs send -D)
The objective is to craft a minimum two box solution with ZFS dedup
replication across the boxes and PDC/AD services also replicating
across the same boxes. So if one fails...
SAMBA 4.0 is supposedly to have integrated limited AD LDAP and Kerberos
features into the mixed. I would love to have that and in fact have
been trying to compile SAMBA 4.0 on snv_128a (x64) to no avail.
If PDC and/or AD is not in the road map, I was thinking to setup SAMBA
4.0 on a Sun Linux Zone and have that act as the PDC while configuring
CIFS (in another zone) to authenticate against the emulated PDC.
Would that make sense or am I talking nonsense?
Warmest Regards
Steven Sim
Jordan Brown wrote:
Steven Sim
wrote:
I've been trying to configure SAMBA 4 on
opensolaris snv_128a with ZFS and while reading discovered the in built
ZFS CIFS facility.
It's wonderful but may I know whether it's possible in any way to
emulate a Windows PDC using the CIFS services alone without additional
SAMBA software?
Like Windows LOGON BAT scripts etc...
No. Solaris CIFS provides only file service support; it does not
provide any domain controller support.
I've also a question with regards to CIFS
idmap and LDAP services.
Would a normal Solaris complaint LDAP NSS schema be sufficient to
integrate Solaris UID/GID with additional entries for Windows SIDs?
No. You must provide additional attributes that specify the Windows
name that corresponds to a particular UNIX user.
From
http://dlc.sun.com/osol/docs/content/SSMBAG/mapusergroupidentities.html
it states ..
"*Directory-based mapping.* If configured, idmapd first tries to use
name mapping information that is stored in user or group objects in the
Active Directory (AD), in the native LDAP directory service, or in
both. For instance, an AD object for a particular Windows user or group
can be augmented to include the corresponding Solaris user or group
name. /_*Similarly, the native LDAP object for a particular Solaris
user or group can be augmented*_/ to include the corresponding Windows
user or group name."
How does one go about "augmenting" the native LDAP object?
See the companion task map:
http://dlc.sun.com/osol/docs/content/SSMBAG/managedirbasedusergroupmapstm.html
Unfortunately, it has the two strategies (augmenting AD and augmenting
native LDAP) interwoven; you will need to untwine them.
I can easily setup Sun DSEE to act as a
user/group naming service for a Opensolaris server but would this be
enough to accomodate the "corresponding Windows user or group name"?
You must add attributes to your LDAP schema, populate them with the
corresponding Windows u...@domain values, and configure idmap to use
the newly added attributes.
I should note that we're trying to make the whole identity mapping
picture simpler, and this "native LDAP" mapping scheme is one of the
things that we're thinking of removing as adding more complexity than
value. I would encourage you to look into other approaches - in
particular, look at Microsoft's Identity Mapping for UNIX (IDMU), which
lets you specify UIDs in your Active Directory data. Configured
properly, you should be able to serve both your UNIX and Windows
directory needs out of a single Active Directory installation.
This decision has not yet been made, and so if the "native LDAP"
mapping scheme is uniquely suited to your needs we'd be interested in
your input on the question.
|
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
