Re: [Samba] Anyone have Solaris 8/9, W2K AD, NIS working?

[Paul Gienger]

It sounds like you need to pick a network directory service and go with 
it, I'd suggest LDAP over NIS any day.  I have had a solaris (9 I think) 
box running happily over LDAP and AD2000, although it was just for test.

I'm trying to get Solaris authentication to work using AD user 
accounts. According to The Official Samba 3 Howto and Reference Guide, 
this should be a simple thing. Well, it is, as long as you don't care 
that the UNIX userid to SID mapping isn't consistent across NIS 
clients, which really screws up file ownership.
You need a central structure to hold your SID mappings if you're 
traversing machines, AFAICT, the only network structure supported is LDAP.

Well, it just isn't working. I've tried the instructions in there, 
which are laughably inadequate. They don't cover NIS or the SID-userid 
mapping problem properly. I've searched this mailing list for answers, 
and haven't found much. I simply cannot get Samba to store the userid 
mapping in the AD Idmap OU.
Perhaps some expansion on your issues here would help:
What kind of errors is samba spitting back
What configurations have you done.
I'm not going to detail the very large list of things I've been trying 
for months now, but they include installing Services for Unix on the 
AD servers, installing OpenLDAP and Kerberos, installing the idmap_ad 
plugin on my test Solaris box, configuring pam.conf and nsswitch.conf, 
setting up winbind, oh, the list goes on.

If anyone out there is running NIS on their Solaris boxes, and has 
single sign-on working properly using AD-based authentication, with 
consistent SID->userid mapping (i.e. a SID gets mapped to the same 
UNIX userid no matter which Solaris client is used), I'd very much 
like to talk to that person to find out how they got it working.
I'm curious, why the insistance on NIS?  Do you have other apps that 
require it?  Are you having problems getting autofs on solaris to talk 
to LDAP?  If so, a guy can short circuit it by making files from the 
ldap structure, that's what I do.  Are you an old school sun guy from 
way back that can't let go of it?  Give in to the dark side of the 
DIT,... err... I mean use ldap, its better over here... or something, 
you get my drift hopefully.

--
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: [EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba