- Solaris CIFS server only runs in the global zone.
- You cannot use Samba with Solaris idmap service.
Samba has its own ID mapping mechanisms.
- This is not the right forum for Samba specific issues/questions.
- I thought Samba 4.0 is not a production quality software yet!?
Afshin
Steven Sim wrote:
Mr. Brown;
Thanks for your swift, to the point and very effective reply!
Firstly, please forgive me if my statements below do not make any sense.
My superficial understanding of the technology may lead me to state
things which are foolish and irrelevant.
Bear with me.
I am seeking to craft a solution with the following features and properties;
1. Windows PDC or AD Emulation with replication across CIFS server boxes.
2. Windows client domain logon with DOS BATCH scripts
3. Synergy between Windows user logon and Unix users
4. ZFS constant time rotational snapshots (I've crafted a script for
this so this is done).
5. Roll back feature with Windows "Previous Version" tab. (Current
ZFS CIFS Service does this very well with ZFS snapshots!). Awesome
work by your team!
6. Dedup ( > snv_128a)
7. Dedup replication (not yet tested but theoretically possible with
zfs send -D)
The objective is to craft a minimum two box solution with ZFS dedup
replication across the boxes and PDC/AD services also replicating across
the same boxes. So if one fails...
SAMBA 4.0 is supposedly to have integrated limited AD LDAP and Kerberos
features into the mixed. I would love to have that and in fact have been
trying to compile SAMBA 4.0 on snv_128a (x64) to no avail.
If PDC and/or AD is not in the road map, I was thinking to setup SAMBA
4.0 on a Sun Linux Zone and have that act as the PDC while configuring
CIFS (in another zone) to authenticate against the emulated PDC.
Would that make sense or am I talking nonsense?
Warmest Regards
Steven Sim
Jordan Brown wrote:
Steven Sim wrote:
I've been trying to configure SAMBA 4 on opensolaris snv_128a with
ZFS and while reading discovered the in built ZFS CIFS facility.
It's wonderful but may I know whether it's possible in any way to
emulate a Windows PDC using the CIFS services alone without
additional SAMBA software?
Like Windows LOGON BAT scripts etc...
No. Solaris CIFS provides only file service support; it does not
provide any domain controller support.
I've also a question with regards to CIFS idmap and LDAP services.
Would a normal Solaris complaint LDAP NSS schema be sufficient to
integrate Solaris UID/GID with additional entries for Windows SIDs?
No. You must provide additional attributes that specify the Windows
name that corresponds to a particular UNIX user.
From
http://dlc.sun.com/osol/docs/content/SSMBAG/mapusergroupidentities.html
it states ..
"*Directory-based mapping.* If configured, idmapd first tries to use
name mapping information that is stored in user or group objects in
the Active Directory (AD), in the native LDAP directory service, or
in both. For instance, an AD object for a particular Windows user or
group can be augmented to include the corresponding Solaris user or
group name. /_*Similarly, the native LDAP object for a particular
Solaris user or group can be augmented*_/ to include the
corresponding Windows user or group name."
How does one go about "augmenting" the native LDAP object?
See the companion task map:
http://dlc.sun.com/osol/docs/content/SSMBAG/managedirbasedusergroupmapstm.html
Unfortunately, it has the two strategies (augmenting AD and augmenting
native LDAP) interwoven; you will need to untwine them.
I can easily setup Sun DSEE to act as a user/group naming service for
a Opensolaris server but would this be enough to accomodate the
"corresponding Windows user or group name"?
You must add attributes to your LDAP schema, populate them with the
corresponding Windows u...@domain values, and configure idmap to use
the newly added attributes.
I should note that we're trying to make the whole identity mapping
picture simpler, and this "native LDAP" mapping scheme is one of the
things that we're thinking of removing as adding more complexity than
value. I would encourage you to look into other approaches - in
particular, look at Microsoft's Identity Mapping for UNIX (IDMU),
which lets you specify UIDs in your Active Directory data. Configured
properly, you should be able to serve both your UNIX and Windows
directory needs out of a single Active Directory installation.
This decision has not yet been made, and so if the "native LDAP"
mapping scheme is uniquely suited to your needs we'd be interested in
your input on the question.
------------------------------------------------------------------------
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
