Re: [Samba] Samba as member of multi domain AD (nss/pam)
Il 25/05/2012 09:57, Marcel Ritter ha scritto: our setup looks much like yours: One domain FAUAD containing all our users, and several domains containing computer objects (and maybe local users). To prevent inconsistencies in user/group membership, we'd like to use nss/pam winbind on the unix side to get users/groups out of our AD. Add winbind to /etc/nss.conf (passwd and group lines). Then use idmap rid for the domains you're interested in (and tdb fot eventual others): idmap backend = tdb idmap uid = 1-9 idmap gid = 1-9 idmap config PERSONALE:backend = rid idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:range = 10 - 4999 idmap config STUDENTI:backend = rid idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:range = 5000 - Users and groups in PERSONALE and STUDENTI are consistent across all servers, while other domains receive first come first served ids. However for most purposes it'd be nice to only get the short user names (user instead of FAUAD+user) for all domains (or at least for a selectable domain). AFAIK the default domain is the one the computer object is created in (in our case this is *not* the one containing the user objects). I haven't found an option to specify this default domain without changing the domain location of the computer object. Neither did I. I tried really hard with: idmap domains = PERSONALE STUDENTI idmap config PERSONALE:default = no idmap config STUDENTI:default = yes To make 'STUDENTI' the default domain while the server is joined to 'PERSONALE', but it didn't work. Maybe someone have a clue. Any idea about how to solve this is welcome :-) I'm in the dark like you :( BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba as member of multi domain AD (nss/pam)
Hi list, I'm looking for someone out there, using samba as a member server in a multi-domain Active Directory forest (maybe even with nss_/pam_winbind for unix users/groups). It took quite a long time to get things working at all here, and we're still not really comfortable with our current solution (especially the unix nss/pam part). I'd be glad if someone out there was interested in exchanging information on that topic. So please don't hesitate to contact me, if you are :) Bye, Marcel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as member of multi domain AD (nss/pam)
On 24/05/12 10:06, Marcel Ritter wrote: Hi list, I'm looking for someone out there, using samba as a member server in a multi-domain Active Directory forest (maybe even with nss_/pam_winbind for unix users/groups). It took quite a long time to get things working at all here, and we're still not really comfortable with our current solution (especially the unix nss/pam part). I'd be glad if someone out there was interested in exchanging information on that topic. So please don't hesitate to contact me, if you are :) Bye, Marcel Hi Marcel Not as part of a multi domain no but we have bypassed winbind in favour of storing attributes in the directory instead of an external winbind mapping. It works fine using nss-pam-ldapd (I think this is libnss-ldapd and libpam-ldapd on Debian). It not officially supported but it works a treat. http://linuxcostablanca.blogspot.com.es/p/s4bind.html Cheers and hth a bit with your nss qn. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba