> Chavez, James R. schrieb: > > Michael, Andreas, and list, > > Quick questions for clarity please. Using Winbind and having the uid and > gid consistent across all linux and Solaris servers is something I have > struggled with. So is it fair to say that without SFU, or extending schema > with RFC2307, or using Windows 2003R2 and manually populating these Active > Directory user objects with Unix attributes, you cannot manually specify > which Unix uid is mapped to a Windows ID? > > You can use OpenLDAP for example instead of SFU or RFC2307 extension:-) > > But: Yes, this is at least my experience. > > There is a "net groupmap" command which will write to the tdb database > backend, but didnt ever used this and dont know if this command is > relevant in this context. I remember this command is (only) used when > setup an Samba domain controller to map the builtin windows groups > 512,513,514. Although there is no "net usermap" command. > > > > > I ask this because in certain locations where I work we have existing > Unix infrastructures based on NIS. Therefore all access to data is based > upon these NIS uid and gid permissions in these environments. The Windows > group has been pushing Linux out in these locations and in some cases, > insisting they be joined to Active Directory, and authenticate local and > SSH logins with Winbind. My issue with this is that the existing resources > that the staff accesses have permissions based on NIS permissions. So when > logging in with Active Directory credentials, these AD users are > dynamically allocated a Unix uid by Winbind that has no longer has access > to established resources based on the NIS permissions. > > > > What I have done in certain areas is migrated all uid, gid, and host > information from NIS into an OpenLDAP directory. Then use Kerberos (AD > creds)to authenticate then map the Kerberos name to the 8 character Unix > name in LDAP using PADL's nss_ldap. I could just create the LDAP usernames > the same as the Kerberos names but wanted to keep with the 8 character > scheme, I think AIX still has this limitation. This seems to work but if I > can use Winbind to statically map existing Unix uid to Windows ID's that > would be less work. > > > > Is there in fact a way to use Winbind and use the NIS uid and gid info > that already exists? From what I have read so far all Winbind uid > generation is dynamic. Please correct me if I am wrong. > > We had the same constellation in our institute and we put all uids/gids > from NIS to Active Directory "by hand", bit by bit. About 200 users. > > I dont know a way to you nis AND winbind at the same time, so the > ActiveDirectory system will read information from NIS and put it > together with the Windows AD information, without to migrate the > uids/gids. > > I hope a samba developer could answer this question positive :-)
I'm not a Samba developer but in the latest releases of the 3.0.x tree you can use the idmap backend of "nss" to get the old behavior of mapping the Windows account name to the same account name in Unix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
