On 05/06/13 17:56, steve wrote:
On Wed, 2013-06-05 at 16:22 +0100, Jonathan Buzzard wrote:
On Wed, 2013-06-05 at 15:42 +0100, Rowland Penny wrote:
I never said that I couldn't get it to work, I just said that it is
just too complicated. Yes I can read and there was no need to get
personal
You said you gave up because it was too complicated. Also if you are
setting up a Samba file server and need UID/GID to SID mappings the only
supported option is Winbind if sssd works at all.
Hi
Why don't we simply store the uid in the directory along with everything
else concerming the user? Why store that information somewhere else?
You do store the UID in the directory along with everything else. You
just need some way of looking it up.
All the OP wants is consistent uidNumbers.
Actually that is not clear. They want consistent UID's on a machine that
is running Samba which complicates things because it might mean they
want consistent and secure SID to UID mapping as well as consistent UID's.
The only way I know how to do
that is to store the uidNumber in the DN of the object. All DC's pull
the same attribute at all times. Forget idmap ranges. You can use
winbind to do that and prolly pull stuff from AD too. However, those of
us who have tried alternatives for pulling rfc2307 from AD find the
alternatives easier to install and configure. Anyone who has tried sssd
is unlikely to return to winbind.
Really, don't think so.
It also has the advantage that it
works fully on a S4 DC, not just for uid and gid but for the whole of
rfc2307. For good measure, it throws in dynamic dns updates for fwd and
reverse zones. For free.
Your file servers have dynamic DNS!!!
sssd does what it says on the tin. With winbind, there are too many
different tins;)
As far as I can tell sssd does not provide a mechanism for the smbd on
at least 3.5 (the 4.x series might be different but the OP is running
3.6) to see an incoming SID and work out the UID. Why would it, a SID is
an entirely Windows concept and sssd is a Linux/Unix thing. Samba 3.x
requires as far as I have been able to tell a running winbind or bad
things happen.
The reason for the ranges, which is why winbind is better than sssd for
a Samba file server is that Samba has some builtin SID's that it needs
to assign UID/GID's to. With winbind you can make sure that these don't
incorrectly overlap which would be a security issue. With sssd you
can't. In fact if you have more than one AD domain in a forest then sssd
is probably not a good idea anyway.
Now if you have random Linux box that is not acting as a Samba file
server then by all means use sssd. But this is a Samba mailing list and
presumably the majority of people are trying to get a Samba file server
working.
JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
