Milton Calnek wrote:
> Hello all,
>
> I'm trying to authenticate shell login's against an MS-ADS. I don't
> have admin access to the ADS, but I can talk to the admins.
>
> I have gotten as far as getting authentication working, but the uid's
> depend on the order of login. ie: the first guy to login gets 10000,
> the next gets 10001, etc. The problem I have with this is that I want
> to share the home directories via nfs, which means everyone has to
> have the same id.
>
> Is anyone else doing this?
>
> My smb.conf and nsswitch.conf files are below.
>
> TIA
>
You can get samba to be a single sign on using MS AD & issue predictable
uids in linux. The smb.conf option:
idmap backend = idmap_rid:DOMAIN=100000-3000000
will take the users' RID in AD, add 100000 to it, use that for the uid
in Linux.
This smb.conf worked for me a couple years ago at my former employer, on
RH4 type machines. Note I did not have an ldap server defined. This is
the entire global section I used in all linux boxes that I joined to the
domain.
[global]
workgroup = DOMAIN
realm = DOMAIN.EXAMPLE.COM
server string = Samba Server
security = ads
# log level = 0 vfs:2
log file = /var/log/samba/ALL.log
max log size = 500
socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768
load printers = No
preferred master = No
domain master = No
dns proxy = No
wins server = 192.168.1.1
netbios name = LINUX999
netbios aliases = host999
ldap ssl = no
idmap uid = 10000-3000000
idmap gid = 10000-3000000
template homedir = /users/%U
template shell = /bin/bash
winbind enum users = No
winbind enum groups = No
idmap backend = idmap_rid:DOMAIN=100000-3000000
allow trusted domains = no
username map = /etc/samba/smbusers
name resolve order = wins bcast
cups options = raw
disable spoolss = Yes
show add printer wizard = No
os level = 1
winbind use default domain = yes
host msdfs = Yes
admin users = DOMAIN\admin20 DOMAIN\admin22
--
Toby Bluhm
Alltech Medical Systems America, Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240