Milton Calnek wrote:
Hello all,
I'm trying to authenticate shell login's against an MS-ADS. I don't have admin access to the ADS, but I can talk to the admins.
I have gotten as far as getting authentication working, but the uid's depend on the order of login. ie: the first guy to login gets 10000, the next gets 10001, etc. The problem I have with this is that I want to share the home directories via nfs, which means everyone has to have the same id.
Is anyone else doing this?
My smb.conf and nsswitch.conf files are below.
TIA
You can get samba to be a single sign on using MS AD & issue predictable uids in linux. The smb.conf option:
idmap backend = idmap_rid:DOMAIN=100000-3000000
will take the users' RID in AD, add 100000 to it, use that for the uid in Linux.
This smb.conf worked for me a couple years ago at my former employer, on RH4 type machines. Note I did not have an ldap server defined. This is the entire global section I used in all linux boxes that I joined to the domain.
[global] workgroup = DOMAIN realm = DOMAIN.EXAMPLE.COM server string = Samba Server security = ads # log level = 0 vfs:2 log file = /var/log/samba/ALL.log max log size = 500 socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768 load printers = No preferred master = No domain master = No dns proxy = No wins server = 192.168.1.1 netbios name = LINUX999 netbios aliases = host999 ldap ssl = no idmap uid = 10000-3000000 idmap gid = 10000-3000000 template homedir = /users/%U template shell = /bin/bash winbind enum users = No winbind enum groups = No idmap backend = idmap_rid:DOMAIN=100000-3000000 allow trusted domains = no username map = /etc/samba/smbusers name resolve order = wins bcast cups options = raw disable spoolss = Yes show add printer wizard = No os level = 1 winbind use default domain = yes host msdfs = Yes admin users = DOMAIN\admin20 DOMAIN\admin22