----------------original message----------------- From: "Jonathan Buzzard" [email protected] To: "Martin Rootes" [email protected] CC: "Samba" [email protected] Date: Tue, 14 Jun 2011 23:28:49 +0100 ------------------------------------------------- > Martin Rootes wrote: >> Hi, >> >> I'm trying to convert an old system on Solaris 10 that uses the >> smbpasswd file authentication method to a system that authenticates >> against Active Directory. I've managed to get winbind working but of >> course this just allocates UIDs as it sees fit whereas the smbpasswd >> file method used the UID from the /etc/passwd file. The user codes on >> the Solaris server match the user codes in AD but if I just switch over >> to winbind the UIDs will not match. If there were only a small number of >> users I could simply change the ownership of the users home directories >> to match the winbind allocated UID but unfortunately there are thousands >> of users and so this would be a mammoth task. I've has a look at various >> bits of documentation but can't get my head around the best strategy. >> Has anyone needed to do something similar and if so how did you go about >> it? >> >> Also the users' home directories are distributed around multiple >> directories and I would prefer to continue to use the home directory >> information from /etc/passwd as opposed to using "template homedir" >> (although I assume that I could leave the directories in place and just >> set up links to them). I've had also had a look at the PADL nss_ldap >> stuff but can't get it to compile, it seems to be looking for SASL, >> would the SASL version on the Sun Freeware site work? >> > > Would not filling out the rfc2307 information in the AD not be the way > forward? Then winbind would not be allocating UID's but using what was > set in the AD which you could match with your current settings. In > addition you could have your home directories wherever you want on a per > user basis depending on what you have set in the AD. > > If you are going to be using AD then it is best not to fight it, and any > AD server after 2003 R2 has the rfc2307 scheme extensions activated, you > just need to populate the fields. Though I appreciate that sometimes > this can be easier said than done if you don't have control over the AD > servers. > > > JAB. > > -- > Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk > Fife, United Kingdom. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
I have been working on exactly this problem. I looked into the rfc2307scheme extensions and it looked like a lot of trouble. The samba HowTo has this to say about it. "The use of this method is messy. The information provided in the following is for guidance only and is very definitely not complete. This method does work; it is used in a number of large sites and has an acceptable level of performance." see http://samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html I also noticed that, to quote the HowTo again "If winbindd is not running, smbd (which calls winbindd) will fall back to using purely local information from /etc/passwd and /etc/group and no dynamic mapping will be used. On an operating system that has been enabled with the NSS, the resolution of user and group information will be accomplished via NSS." see http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html. This is the solution that I am now implementing. It looks to be working but I still have some testing to do. This is the way that another system works here and we have had no trouble with it. If you have multiple domains then you have to be vary careful doing this. We have one master OpenLDAP server and we create accounts on all domains from that. We know that John on one domain is the same person as John on all the others. The linux samba servers are just setup so that nss gets account info from the master LDAP server but the smb.conf gets Auth info from the AD Domian controller. Password changing on the windows and linux machines have been disabled and all password changes are done through a website. This site then updates the LDAP and AD passwords. Peter -- -- Peter Shevchenko Ph: +61 2 6125 1548 Email: [email protected] IT Administrator ANU College of Engineering and Computer Science -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
