On Feb 9, 2010, at 6:27 PM, Dan Burkland dburklan@NMDP.ORG wrote:
From: centos-bounces@centos.org [centos-bounces@centos.org] On Behalf Of Ross Walker [rswwalker@gmail.com] Sent: Tuesday, February 09, 2010 4:08 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Tue, Feb 9, 2010 at 3:23 PM, Joseph L. Casale jcasale@activenetwerx.com wrote:
That RID map feature of samba is great.
Forgot about that, AFAIK, you can do that w/ SFU & pam mods.
I have two Samba servers left that I want to get rid of:)
You can do it with SFU, but SFU doesn't create UID/GIDs for existing users, you have to do those manually.
Then there is the whole issue of maintaining those IDs over a long period of time.
Also with RID mapping I can map different domains into different ID ranges.
100000 - 199999 first domain 200000 - 299999 second domain
And so on.
You know you don't need the full Samba install to setup a winbind->NIS server, just the Samba client will do.
Then have your Linux boxes using NIS+Kerberos and only 1-2 boxes needs have a smb.conf and winbind running.
NIS is only as secure as the network it runs on. If it bumps against public networks (unsecure wifi so on) use 802.11 authentication.
-Ross _______________________________________________
For anybody wanting to know how to go the LDAP Route I found an interesting article in the linux.com archives http://www.linux.com/archive/feed/40983
Thanks again guys for your input.
If it works for you great.
If you have hundreds or thousands of users and hundreds of groups, well good luck. It is extremely hard to automate assigning these uids/ gids and making sure they don't collide with each other or other unix systems and doing it by hand is a torture reserved for the ninth circle of hell.
If only nss_ldap had a SID->UID/GID mapping like samba has.
-Ross