-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/15/2011 10:29 AM, Jonathan Buzzard wrote: > > On Tue, 2011-06-14 at 23:41 +0000, Peter Shevchenko wrote: > > [SNIP] > >> I have been working on exactly this problem. I looked into the >> rfc2307scheme extensions and it looked like a lot of trouble. The samba >> HowTo has this to say about it. >> >> "The use of this method is messy. The information provided in the >> following is for guidance only and is very definitely not complete. This >> method does work; it is used in a number of large sites and has an >> acceptable level of performance." see >> samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html > > That is *not* the method I was suggesting to use. I was suggesting using > the idmap_ad backend and winbind directly. No ldap or similar in sight > excepting that AD is ldap. > > This is the configuration that I use in smb.conf > > # deal with NSS and the whole UID/SID id mapping stuff > idmap backend = tdb > idmap uid = 2000000 - 2999999 > idmap gid = 2000000 - 2999999 > idmap config LIFESCI-AD : backend = ad > idmap config LIFESCI-AD : schema_mode = rfc2307 > idmap config LIFESCI-AD : readonly = yes > idmap config LIFESCI-AD : range = 500 - 1999999 > idmap cache time = 120 > idmap negative cache time = 20 > winbind nss info = rfc2307 > winbind expand groups = 2 > winbind nested groups = yes > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > winbind offline logon = false > > With nsswitch.conf looking like > > passwd: files winbind > shadow: files > group: files winbind > > > I would say the documentation on how to get his working is not great, > the biggest stumbling block being the need for the non overlapping range > for the plain tdb backend which is all required despite the fact it is > never used. > > Yes you need to have winbind running at all times for it to work but it > does work. > > > JAB. >
The environment I work in did not fully implement the rfc schema. I would use the hash idmap backend: http://www.samba.org/samba/docs/man/manpages-3/idmap_hash.8.html - -- ________ Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk35BYAACgkQup357T5MfTYwFACgtaTV82agesB7NdUOskJJtP3V il8AoIEzjcTbql+mrbqGeprErmJZCN0c =xjsP -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
