[CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)

Wed Feb 10 01:09:17 UTC 2010
Ross Walker <rswwalker at gmail.com>

On Feb 9, 2010, at 6:27 PM, Dan Burkland <dburklan at NMDP.ORG> wrote:

> From: centos-bounces at centos.org [centos-bounces at centos.org] On  
> Behalf Of Ross Walker [rswwalker at gmail.com]
> Sent: Tuesday, February 09, 2010 4:08 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD  
> (Server       2008r2)
>
> On Tue, Feb 9, 2010 at 3:23 PM, Joseph L. Casale
> <jcasale at activenetwerx.com> wrote:
>>> That RID map feature of samba is great.
>>
>> Forgot about that, AFAIK, you can do that w/ SFU & pam mods.
>>
>> I have two Samba servers left that I want to get rid of:)
>
> You can do it with SFU, but SFU doesn't create UID/GIDs for existing
> users, you have to do those manually.
>
> Then there is the whole issue of maintaining those IDs over a long
> period of time.
>
> Also with RID mapping I can map different domains into different ID  
> ranges.
>
> 100000 - 199999 first domain
> 200000 - 299999 second domain
>
> And so on.
>
> You know you don't need the full Samba install to setup a winbind->NIS
> server, just the Samba client will do.
>
> Then have your Linux boxes using NIS+Kerberos and only 1-2 boxes needs
> have a smb.conf and winbind running.
>
> NIS is only as secure as the network it runs on. If it bumps against
> public networks (unsecure wifi so on) use 802.11 authentication.
>
> -Ross
> _______________________________________________
>
> For anybody wanting to know how to go the LDAP Route I found an  
> interesting article in the linux.com archives
> http://www.linux.com/archive/feed/40983
>
> Thanks again guys for your input.

If it works for you great.

If you have hundreds or thousands of users and hundreds of groups,  
well good luck. It is extremely hard to automate assigning these uids/ 
gids and making sure they don't collide with each other or other unix  
systems and doing it by hand is a torture reserved for the ninth  
circle of hell.

If only nss_ldap had a SID->UID/GID mapping like samba has.

-Ross