Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Active directory and winbind RID/SID to uid and gid maping

0 views
Skip to first unread message

Reece Dike

unread,
Mar 10, 2009, 2:43:07 PM3/10/09
to
We are using a windows server 2003 active directory as our single sign
on server. I have been able to get our RHEL4U6 servers to authenticate
with active directory.

My concern is that the RID mapping to unix uid/gid range (15000-20000)
is stored locally on each machine in a tdb database. So far all of the
servers have produced the same mapping, but I do not think it is
guarantied. I think the fact that I do a wbinfo -u and wbinfo -g as part
of the setup and there have been no users/groups added to active
directory has made the mappings the same. I know that the uid/gid are
not being store in active directory(I did a 'dsquery * -scope base
-attrib *' on my id in active directory). Is there any way to guaranty
the RID to uid/gid mapping across several servers?


Thanks,
Reece Dike

Here is my smb.conf
[global]
workgroup = MYDOMAIN
server string = Samba Server Version %v
security = ADS
password server = 68.216.162.90
realm = MYDOMAIN.COM
passdb backend = tdbsam
load printers = yes
cups options = raw
template shell = /bin/false
server signing = autos
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum groups = yes
winbind enum users = yes
winbind separator = +
winbind use default domain = no
template homedir = /homes/%D/%U
template shell = /bin/bash

[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

[usbshare]
comment = Backups and Stuff
path = /usbdrive
valid users = +"MYDOMAIN+Domain Users"
read only = no


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Reece Dike

unread,
Mar 10, 2009, 5:47:24 PM3/10/09
to
Dale,

Thanks for the information and the link. We are just now trying to
implement this and we have not implemented this on any production
servers. I need to talk with my security person to see if we
have/planning to have trusted domains. If we do then I will have to go
with the ldap/ADS solution that was in the link you gave.

Thanks again,
Reece

Dale Schroeder wrote:
> Reece,
>
> idmap backend = rid:MYDOMAIN=15000-20000
>
> will create consistent mappings, _*but*_ be aware that enabling this
> parameter will break all your existing mappings,
> and you will have to reset permissions on your Redhat servers.
> Obviously, this is not desirable on production
> systems. However, once this is done, you will continue to have the
> same mappings on any existing and
> similarly configured future Samba servers. Only you can determine if
> it is worth the time and effort to do this.
> We have four servers configured this way, and users have the same
> uid/gid on each system.
>
> Comparison of idmap backends:
> http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2598850
>
>
> Dale

0 new messages