-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Thanks for the response Andrew,
Using ad for my idmap sounds like what I'm looking for. I'm having problems finding how I add the map ids to the AD manually for new users. Could you direct me to some information regarding cli tools to do that? Thanks Again, Stu On 04/12/2013 11:57 PM, Andrew Bartlett wrote: > On Fri, 2013-04-12 at 08:40 -0700, Stuart Sheldon wrote: >> Hi All, >> >> I've been playing with Samba 4.0.x in the lab for about a week or so, >> and have figured out a reasonable portion of the required settings to >> also use the AD server as a Unix server. I do have some additional >> questions regarding scaling that I have not found the answers to. I'm >> hoping you good folks can steer me in the right direction, or confirm my >> ideas of how this whole AD Controller thing works... >> >> I'm using winbind for Unix authentication via PAM, and have configured >> NSS to use winbind for passwd and group enumeration. Took me quite a >> while to figure out that users would need to auth into kerberos before >> winbind would return info to NSS. Someone might want to update the wiki >> on that... > > That doens't sound right. The user information can be obtained, but it > certainly is faster and more effective when we have the PAC cached. > >> I do have some questions though regarding winbind and idmaps >> in 4.0.5: >> >> We currently deploy OpenLDAP as our core user management platform. This >> has allowed us to avoid the need for winbind and the whole 3.x issue of >> idmaps varying between our Linux systems. I've been trying to figure out >> if the whole idmap sync issue is solved in 4.0.x? Can I just use the >> default smb.conf generated settings for winbind and idmap and still have >> consistent mappings between different hosts? If not, how can I >> accomplish this in 4.0.x? > > If you have an existing OpenLDAP system, and are using Samba 3.x, do you > have an existing Samba 3.x 'classic' domain? > > If so, then the samba-tool domain classicupgrde command will import > those existing id mappings into our AD database, and set the smb.conf > option to use it. > > You can then configure Samba winbind clients to also use that rfc2307 > configuration, using idmap_ad. > > You will need to set any uid/gid values you wish to be consistent across > your domain manually, as we do not have a distributed allocator for > those. Any values not set in the directory will be set in idmap.ldb on > each DC, and may differ between DCs (and potentially clients). > > I hope this clarifies things for you, or gives you somewhere to sart > your research. > > Andrew Bartlett > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRaYJtAAoJEFKVLITDJSGSvUYQAKa31VZ8geUwpaNRSyGKjz0a BHWGh0FLs9+WGjBKxHeeRZ73riCDKgFEdy+P3jyfscJB0eHL96mJwLOi4/38DU4X Ly/s8iH7k+AQJJ47xG5FKL2AzfowIjiiTGtLI6Tk5yXLIisJt/W3jNqPkQ9dRM6x 1iRBs93l6vwDZkROvoj7hFH46/J1Xkp6NrvtRILQo5mmZP9Su0gtV6MGGUNHnoYz IUBsxkirq5BlvGFqZMr3NI2B4k885OO/sZHjHIlOw12k/XwFTL24TlkD1Klr7Z3w sLGruw+4LSdRxaJcwkVNOsH9x2vdu9ZZNDuUvyuUJUqZeZMm/I9Yia5Yjwaqiw5P l3mxWrsApsQxV8NLOH7eQ5E0tNl42lECTTTZYRcVTviLplJnogD4VMxuQwzHfFCN jxF3gjv8kgFy09oCwewPI2o/1nH2nnebiIlnMI3oIdrju04fYCK+a5d3HW9fSFOm hGgi1NBGI/jQTHGle1IQuknVJjRacA/mFF8aAL02xNH4ny+rZqbBrKt/7wKWQ8pd r9TNGghK2qlpYwllzKnyhm0q11aJlR39xWCukRhSm6hA76I8OK8yoYlDz6mjDvsZ mrSFc/15sGcL7h3ZJkUmEgEPqSMgs8ISxfSzSEeXVAfDFNH3LAFruPzmk8LxY+OC b/G6TDC1j2DXGiJpfL+n =cCyw -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
