- Timestamp:
- Jan 15, 2010, 8:21:06 AM (16 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.3.x/docs/htmldocs/Samba3-HOWTO/idmapper.html
r342 r368 1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. Identity Mapping (IDMAP)</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.7 4.0"><link rel="home" href="index.html" title="The Official Samba 3.3.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command"><link rel="next" href="rights.html" title="Chapter 15. User Rights and Privileges"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. Identity Mapping (IDMAP)</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetCommand.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="rights.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="idmapper"></a>Chapter 14. Identity Mapping (IDMAP)</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="idmapper.html#id2604468">Samba Server Deployment Types and IDMAP</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id2604493">Standalone Samba Server</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2604555">Domain Member Server or Domain Member Client</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2605507">Primary Domain Controller</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2605741">Backup Domain Controller</a></span></dt></dl></dd><dt><span class="sect1"><a href="idmapper.html#id2605813">Examples of IDMAP Backend Usage</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id2605876">Default Winbind TDB</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2606598">IDMAP_RID with Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2607189">IDMAP Storage in LDAP Using Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2607774">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></span></dt></dl></dd></dl></div><p>2 <a class="indexterm" name="id26 04193"></a>3 <a class="indexterm" name="id26 04200"></a>4 <a class="indexterm" name="id26 04207"></a>5 <a class="indexterm" name="id26 04214"></a>6 <a class="indexterm" name="id26 04223"></a>7 <a class="indexterm" name="id26 04230"></a>8 <a class="indexterm" name="id26 04236"></a>1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. Identity Mapping (IDMAP)</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.3.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command"><link rel="next" href="rights.html" title="Chapter 15. User Rights and Privileges"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. Identity Mapping (IDMAP)</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetCommand.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="rights.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 14. Identity Mapping (IDMAP)"><div class="titlepage"><div><div><h2 class="title"><a name="idmapper"></a>Chapter 14. Identity Mapping (IDMAP)</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="idmapper.html#id2610535">Samba Server Deployment Types and IDMAP</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id2610560">Standalone Samba Server</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2610622">Domain Member Server or Domain Member Client</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2611579">Primary Domain Controller</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2611813">Backup Domain Controller</a></span></dt></dl></dd><dt><span class="sect1"><a href="idmapper.html#id2611885">Examples of IDMAP Backend Usage</a></span></dt><dd><dl><dt><span class="sect2"><a href="idmapper.html#id2611948">Default Winbind TDB</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2612670">IDMAP_RID with Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2613261">IDMAP Storage in LDAP Using Winbind</a></span></dt><dt><span class="sect2"><a href="idmapper.html#id2613846">IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</a></span></dt></dl></dd></dl></div><p> 2 <a class="indexterm" name="id2610260"></a> 3 <a class="indexterm" name="id2610267"></a> 4 <a class="indexterm" name="id2610274"></a> 5 <a class="indexterm" name="id2610281"></a> 6 <a class="indexterm" name="id2610290"></a> 7 <a class="indexterm" name="id2610297"></a> 8 <a class="indexterm" name="id2610303"></a> 9 9 The Microsoft Windows operating system has a number of features that impose specific challenges 10 10 to interoperability with the operating systems on which Samba is implemented. This chapter deals … … 17 17 This is followed by an overview of how the IDMAP facility may be implemented. 18 18 </p><p> 19 <a class="indexterm" name="id26 04260"></a>20 <a class="indexterm" name="id26 04267"></a>21 <a class="indexterm" name="id26 04274"></a>22 <a class="indexterm" name="id26 04281"></a>19 <a class="indexterm" name="id2610327"></a> 20 <a class="indexterm" name="id2610334"></a> 21 <a class="indexterm" name="id2610341"></a> 22 <a class="indexterm" name="id2610348"></a> 23 23 The IDMAP facility is of concern where more than one Samba server (or Samba network client) 24 24 is installed in a domain. Where there is a single Samba server, do not be too concerned regarding … … 27 27 another, and that is where the fun begins! 28 28 </p><p> 29 <a class="indexterm" name="id26 04302"></a>30 <a class="indexterm" name="id26 04308"></a>31 <a class="indexterm" name="id26 04314"></a>32 <a class="indexterm" name="id26 04321"></a>33 <a class="indexterm" name="id26 04328"></a>34 <a class="indexterm" name="id26 04334"></a>35 <a class="indexterm" name="id26 04341"></a>36 <a class="indexterm" name="id26 04348"></a>29 <a class="indexterm" name="id2610368"></a> 30 <a class="indexterm" name="id2610375"></a> 31 <a class="indexterm" name="id2610381"></a> 32 <a class="indexterm" name="id2610388"></a> 33 <a class="indexterm" name="id2610394"></a> 34 <a class="indexterm" name="id2610401"></a> 35 <a class="indexterm" name="id2610408"></a> 36 <a class="indexterm" name="id2610415"></a> 37 37 Where user and group account information is stored in an LDAP directory every server can have the same 38 38 consistent UID and GID for users and groups. This is achieved using NSS and the nss_ldap tool. Samba … … 42 42 or if there is a need to keep the security name-space separate (i.e., the user 43 43 <code class="literal">DOMINICUS\FJones</code> must not be given access to the account resources of the user 44 <code class="literal">FRANCISCUS\FJones</code><sup>[<a name="id26 04377" href="#ftn.id2604377" class="footnote">4</a>]</sup> free from inadvertent cross-over, close attention should be given44 <code class="literal">FRANCISCUS\FJones</code><sup>[<a name="id2610444" href="#ftn.id2610444" class="footnote">4</a>]</sup> free from inadvertent cross-over, close attention should be given 45 45 to the way that the IDMAP facility is configured. 46 46 </p><p> 47 <a class="indexterm" name="id26 04405"></a>48 <a class="indexterm" name="id26 04411"></a>49 <a class="indexterm" name="id26 04418"></a>50 <a class="indexterm" name="id26 04425"></a>51 <a class="indexterm" name="id26 04431"></a>52 <a class="indexterm" name="id26 04438"></a>47 <a class="indexterm" name="id2610471"></a> 48 <a class="indexterm" name="id2610478"></a> 49 <a class="indexterm" name="id2610485"></a> 50 <a class="indexterm" name="id2610492"></a> 51 <a class="indexterm" name="id2610498"></a> 52 <a class="indexterm" name="id2610505"></a> 53 53 The use of IDMAP is important where the Samba server will be accessed by workstations or servers from 54 54 more than one domain, in which case it is important to run winbind so it can handle the resolution (ID mapping) 55 55 of foreign SIDs to local UNIX UIDs and GIDs. 56 56 </p><p> 57 <a class="indexterm" name="id26 04452"></a>57 <a class="indexterm" name="id2610519"></a> 58 58 The use of the IDMAP facility requires the execution of the <code class="literal">winbindd</code> upon Samba startup. 59 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2604468"></a>Samba Server Deployment Types and IDMAP</h2></div></div></div><p>60 <a class="indexterm" name="id26 04476"></a>59 </p><div class="sect1" title="Samba Server Deployment Types and IDMAP"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2610535"></a>Samba Server Deployment Types and IDMAP</h2></div></div></div><p> 60 <a class="indexterm" name="id2610543"></a> 61 61 There are four basic server deployment types, as documented in <a class="link" href="ServerType.html" title="Chapter 3. Server Types and Security Modes">the chapter 62 62 on Server Types and Security Modes</a>. 63 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2604493"></a>Standalone Samba Server</h3></div></div></div><p>64 <a class="indexterm" name="id26 04501"></a>65 <a class="indexterm" name="id26 04508"></a>66 <a class="indexterm" name="id26 04514"></a>63 </p><div class="sect2" title="Standalone Samba Server"><div class="titlepage"><div><div><h3 class="title"><a name="id2610560"></a>Standalone Samba Server</h3></div></div></div><p> 64 <a class="indexterm" name="id2610568"></a> 65 <a class="indexterm" name="id2610574"></a> 66 <a class="indexterm" name="id2610581"></a> 67 67 A standalone Samba server is an implementation that is not a member of a Windows NT4 domain, 68 68 a Windows 200X Active Directory domain, or a Samba domain. 69 69 </p><p> 70 <a class="indexterm" name="id26 04527"></a>71 <a class="indexterm" name="id26 04534"></a>72 <a class="indexterm" name="id26 04541"></a>70 <a class="indexterm" name="id2610594"></a> 71 <a class="indexterm" name="id2610601"></a> 72 <a class="indexterm" name="id2610608"></a> 73 73 By definition, this means that users and groups will be created and controlled locally, and 74 74 the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility 75 75 is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility 76 76 will not be relevant or of interest. 77 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2604555"></a>Domain Member Server or Domain Member Client</h3></div></div></div><p>78 <a class="indexterm" name="id26 04564"></a>79 <a class="indexterm" name="id26 04570"></a>80 <a class="indexterm" name="id26 04577"></a>81 <a class="indexterm" name="id26 04584"></a>82 <a class="indexterm" name="id26 04590"></a>77 </p></div><div class="sect2" title="Domain Member Server or Domain Member Client"><div class="titlepage"><div><div><h3 class="title"><a name="id2610622"></a>Domain Member Server or Domain Member Client</h3></div></div></div><p> 78 <a class="indexterm" name="id2610630"></a> 79 <a class="indexterm" name="id2610637"></a> 80 <a class="indexterm" name="id2610644"></a> 81 <a class="indexterm" name="id2610650"></a> 82 <a class="indexterm" name="id2610657"></a> 83 83 Samba-3 can act as a Windows NT4 PDC or BDC, thereby providing domain control protocols that 84 84 are compatible with Windows NT4. Samba-3 file and print sharing protocols are compatible with … … 86 86 extensively makes use of Windows SIDs. 87 87 </p><p> 88 <a class="indexterm" name="id26 04606"></a>89 <a class="indexterm" name="id26 04613"></a>90 <a class="indexterm" name="id26 04619"></a>88 <a class="indexterm" name="id2610678"></a> 89 <a class="indexterm" name="id2610685"></a> 90 <a class="indexterm" name="id2610691"></a> 91 91 Samba-3 domain member servers and clients must interact correctly with MS Windows SIDs. Incoming 92 92 Windows SIDs must be translated to local UNIX UIDs and GIDs. Outgoing information from the Samba 93 93 server must provide to MS Windows clients and servers appropriate SIDs. 94 94 </p><p> 95 <a class="indexterm" name="id26 04634"></a>96 <a class="indexterm" name="id26 04640"></a>95 <a class="indexterm" name="id2610706"></a> 96 <a class="indexterm" name="id2610712"></a> 97 97 A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle 98 98 identity mapping in a variety of ways. The mechanism it uses depends on whether or not … … 100 100 The configuration options are briefly described here: 101 101 </p><div class="variablelist"><dl><dt><span class="term">Winbind is not used; users and groups are local: </span></dt><dd><p> 102 <a class="indexterm" name="id26 04671"></a>103 <a class="indexterm" name="id26 04678"></a>104 <a class="indexterm" name="id26 04684"></a>105 <a class="indexterm" name="id26 04691"></a>106 <a class="indexterm" name="id26 04698"></a>107 <a class="indexterm" name="id26 04705"></a>108 <a class="indexterm" name="id26 04712"></a>109 <a class="indexterm" name="id26 04718"></a>110 <a class="indexterm" name="id26 04725"></a>111 <a class="indexterm" name="id26 04732"></a>112 <a class="indexterm" name="id26 04739"></a>102 <a class="indexterm" name="id2610743"></a> 103 <a class="indexterm" name="id2610750"></a> 104 <a class="indexterm" name="id2610756"></a> 105 <a class="indexterm" name="id2610763"></a> 106 <a class="indexterm" name="id2610770"></a> 107 <a class="indexterm" name="id2610777"></a> 108 <a class="indexterm" name="id2610784"></a> 109 <a class="indexterm" name="id2610790"></a> 110 <a class="indexterm" name="id2610797"></a> 111 <a class="indexterm" name="id2610804"></a> 112 <a class="indexterm" name="id2610811"></a> 113 113 Where <code class="literal">winbindd</code> is not used Samba (<code class="literal">smbd</code>) 114 114 uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming … … 120 120 <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code> respectively. 121 121 </p><p> 122 <a class="indexterm" name="id26 04781"></a>123 <a class="indexterm" name="id26 04788"></a>122 <a class="indexterm" name="id2610853"></a> 123 <a class="indexterm" name="id2610860"></a> 124 124 For example, when the user <code class="literal">BERYLIUM\WambatW</code> tries to open a 125 125 connection to a Samba server the incoming SessionSetupAndX request will make a … … 127 127 <code class="filename">/etc/passwd</code> file. 128 128 </p><p> 129 <a class="indexterm" name="id26 04819"></a>130 <a class="indexterm" name="id26 04826"></a>131 <a class="indexterm" name="id26 04833"></a>132 <a class="indexterm" name="id26 04840"></a>133 <a class="indexterm" name="id26 04846"></a>134 <a class="indexterm" name="id26 04853"></a>135 <a class="indexterm" name="id26 04859"></a>136 <a class="indexterm" name="id26 04866"></a>129 <a class="indexterm" name="id2610891"></a> 130 <a class="indexterm" name="id2610898"></a> 131 <a class="indexterm" name="id2610905"></a> 132 <a class="indexterm" name="id2610912"></a> 133 <a class="indexterm" name="id2610918"></a> 134 <a class="indexterm" name="id2610925"></a> 135 <a class="indexterm" name="id2610931"></a> 136 <a class="indexterm" name="id2610938"></a> 137 137 This configuration may be used with standalone Samba servers, domain member 138 138 servers (NT4 or ADS), and for a PDC that uses either an smbpasswd 139 139 or a tdbsam-based Samba passdb backend. 140 140 </p></dd><dt><span class="term">Winbind is not used; users and groups resolved via NSS: </span></dt><dd><p> 141 <a class="indexterm" name="id26 04889"></a>142 <a class="indexterm" name="id26 04896"></a>143 <a class="indexterm" name="id26 04903"></a>144 <a class="indexterm" name="id26 04910"></a>145 <a class="indexterm" name="id26 04917"></a>146 <a class="indexterm" name="id26 04924"></a>141 <a class="indexterm" name="id2610961"></a> 142 <a class="indexterm" name="id2610968"></a> 143 <a class="indexterm" name="id2610975"></a> 144 <a class="indexterm" name="id2610982"></a> 145 <a class="indexterm" name="id2610989"></a> 146 <a class="indexterm" name="id2610996"></a> 147 147 In this situation user and group accounts are treated as if they are local 148 148 accounts. The only way in which this differs from having local accounts is … … 150 150 this means that they will reside in either an NIS-type database or else in LDAP. 151 151 </p><p> 152 <a class="indexterm" name="id26 04939"></a>153 <a class="indexterm" name="id26 04946"></a>154 <a class="indexterm" name="id26 04953"></a>155 <a class="indexterm" name="id26 04960"></a>156 <a class="indexterm" name="id26 04966"></a>157 <a class="indexterm" name="id26 04973"></a>158 <a class="indexterm" name="id26 04979"></a>152 <a class="indexterm" name="id2611011"></a> 153 <a class="indexterm" name="id2611018"></a> 154 <a class="indexterm" name="id2611025"></a> 155 <a class="indexterm" name="id2611032"></a> 156 <a class="indexterm" name="id2611038"></a> 157 <a class="indexterm" name="id2611045"></a> 158 <a class="indexterm" name="id2611051"></a> 159 159 This configuration may be used with standalone Samba servers, domain member 160 160 servers (NT4 or ADS), and for a PDC that uses either an smbpasswd 161 161 or a tdbsam-based Samba passdb backend. 162 162 </p></dd><dt><span class="term">Winbind/NSS with the default local IDMAP table: </span></dt><dd><p> 163 <a class="indexterm" name="id26 05002"></a>164 <a class="indexterm" name="id26 05009"></a>165 <a class="indexterm" name="id26 05016"></a>166 <a class="indexterm" name="id26 05023"></a>163 <a class="indexterm" name="id2611074"></a> 164 <a class="indexterm" name="id2611081"></a> 165 <a class="indexterm" name="id2611088"></a> 166 <a class="indexterm" name="id2611095"></a> 167 167 There are many sites that require only a simple Samba server or a single Samba 168 168 server that is a member of a Windows NT4 domain or an ADS domain. A typical example … … 172 172 Active Directory. 173 173 </p><p> 174 <a class="indexterm" name="id26 05041"></a>175 <a class="indexterm" name="id26 05047"></a>176 <a class="indexterm" name="id26 05054"></a>177 <a class="indexterm" name="id26 05061"></a>178 <a class="indexterm" name="id26 05068"></a>174 <a class="indexterm" name="id2611113"></a> 175 <a class="indexterm" name="id2611119"></a> 176 <a class="indexterm" name="id2611126"></a> 177 <a class="indexterm" name="id2611133"></a> 178 <a class="indexterm" name="id2611140"></a> 179 179 Winbind is a great convenience in this situation. All that is needed is a range of 180 180 UID numbers and GID numbers that can be defined in the <code class="filename">smb.conf</code> file. The … … 183 183 The SIDs are allocated a UID/GID in the order in which winbind receives them. 184 184 </p><p> 185 <a class="indexterm" name="id26 05102"></a>186 <a class="indexterm" name="id26 05108"></a>187 <a class="indexterm" name="id26 05115"></a>188 <a class="indexterm" name="id26 05122"></a>185 <a class="indexterm" name="id2611174"></a> 186 <a class="indexterm" name="id2611180"></a> 187 <a class="indexterm" name="id2611187"></a> 188 <a class="indexterm" name="id2611194"></a> 189 189 This configuration is not convenient or practical in sites that have more than one 190 190 Samba server and that require the same UID or GID for the same user or group across … … 195 195 the rightful owners. 196 196 </p></dd><dt><span class="term">Winbind/NSS uses RID based IDMAP: </span></dt><dd><p> 197 <a class="indexterm" name="id26 05150"></a>198 <a class="indexterm" name="id26 05157"></a>199 <a class="indexterm" name="id26 05164"></a>200 <a class="indexterm" name="id26 05170"></a>197 <a class="indexterm" name="id2611222"></a> 198 <a class="indexterm" name="id2611229"></a> 199 <a class="indexterm" name="id2611236"></a> 200 <a class="indexterm" name="id2611242"></a> 201 201 The IDMAP_RID facility is new to Samba version 3.0.8. It was added to make life easier 202 202 for a number of sites that are committed to use of MS ADS, that do not apply … … 206 206 IDMAP table problem, then IDMAP_RID is an obvious choice. 207 207 </p><p> 208 <a class="indexterm" name="id26 05189"></a>209 <a class="indexterm" name="id26 05196"></a>210 <a class="indexterm" name="id26 05203"></a>211 <a class="indexterm" name="id26 05210"></a>212 <a class="indexterm" name="id26 05216"></a>213 <a class="indexterm" name="id26 05223"></a>214 <a class="indexterm" name="id26 05229"></a>215 <a class="indexterm" name="id26 05236"></a>208 <a class="indexterm" name="id2611261"></a> 209 <a class="indexterm" name="id2611268"></a> 210 <a class="indexterm" name="id2611275"></a> 211 <a class="indexterm" name="id2611282"></a> 212 <a class="indexterm" name="id2611288"></a> 213 <a class="indexterm" name="id2611295"></a> 214 <a class="indexterm" name="id2611301"></a> 215 <a class="indexterm" name="id2611308"></a> 216 216 This facility requires the allocation of the <em class="parameter"><code>idmap uid</code></em> and the 217 217 <em class="parameter"><code>idmap gid</code></em> ranges, and within the <em class="parameter"><code>idmap uid</code></em> … … 223 223 the resulting UID will be <code class="constant">1000 + 1234 = 2234</code>. 224 224 </p></dd><dt><span class="term">Winbind with an NSS/LDAP backend-based IDMAP facility: </span></dt><dd><p> 225 <a class="indexterm" name="id26 05304"></a>226 <a class="indexterm" name="id26 05311"></a>227 <a class="indexterm" name="id26 05318"></a>228 <a class="indexterm" name="id26 05325"></a>229 <a class="indexterm" name="id26 05331"></a>230 <a class="indexterm" name="id26 05338"></a>231 <a class="indexterm" name="id26 05344"></a>232 <a class="indexterm" name="id26 05351"></a>225 <a class="indexterm" name="id2611376"></a> 226 <a class="indexterm" name="id2611383"></a> 227 <a class="indexterm" name="id2611390"></a> 228 <a class="indexterm" name="id2611397"></a> 229 <a class="indexterm" name="id2611403"></a> 230 <a class="indexterm" name="id2611410"></a> 231 <a class="indexterm" name="id2611416"></a> 232 <a class="indexterm" name="id2611423"></a> 233 233 In this configuration <code class="literal">winbind</code> resolved SIDs to UIDs and GIDs from 234 234 the <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em> ranges specified … … 237 237 a common IDMAP table. 238 238 </p><p> 239 <a class="indexterm" name="id26 05390"></a>240 <a class="indexterm" name="id26 05397"></a>241 <a class="indexterm" name="id26 05404"></a>239 <a class="indexterm" name="id2611462"></a> 240 <a class="indexterm" name="id2611469"></a> 241 <a class="indexterm" name="id2611476"></a> 242 242 It is important that all LDAP IDMAP clients use only the master LDAP server because the 243 243 <em class="parameter"><code>idmap backend</code></em> facility in the <code class="filename">smb.conf</code> file does not correctly … … 248 248 SIDs are consistent across all servers. 249 249 </p><p> 250 <a class="indexterm" name="id26 05445"></a>251 <a class="indexterm" name="id26 05452"></a>250 <a class="indexterm" name="id2611517"></a> 251 <a class="indexterm" name="id2611524"></a> 252 252 The use of the LDAP-based passdb backend requires use of the PADL nss_ldap utility or 253 253 an equivalent. In this situation winbind is used to handle foreign SIDs, that is, SIDs from … … 256 256 in precisely the same manner as when using winbind with a local IDMAP table. 257 257 </p><p> 258 <a class="indexterm" name="id26 05470"></a>259 <a class="indexterm" name="id26 05477"></a>260 <a class="indexterm" name="id26 05483"></a>258 <a class="indexterm" name="id2611542"></a> 259 <a class="indexterm" name="id2611549"></a> 260 <a class="indexterm" name="id2611555"></a> 261 261 The nss_ldap tool set can be used to access UIDs and GIDs via LDAP as well as via Active 262 262 Directory. In order to use Active Directory, it is necessary to modify the ADS schema by … … 267 267 Management tool. Each account must be separately UNIX-enabled before the UID and GID data can 268 268 be used by Samba. 269 </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2605507"></a>Primary Domain Controller</h3></div></div></div><p>270 <a class="indexterm" name="id26 05515"></a>271 <a class="indexterm" name="id26 05522"></a>272 <a class="indexterm" name="id26 05528"></a>273 <a class="indexterm" name="id26 05535"></a>269 </p></dd></dl></div></div><div class="sect2" title="Primary Domain Controller"><div class="titlepage"><div><div><h3 class="title"><a name="id2611579"></a>Primary Domain Controller</h3></div></div></div><p> 270 <a class="indexterm" name="id2611587"></a> 271 <a class="indexterm" name="id2611594"></a> 272 <a class="indexterm" name="id2611600"></a> 273 <a class="indexterm" name="id2611607"></a> 274 274 Microsoft Windows domain security systems generate the user and group SID as part 275 275 of the process of creation of an account. Windows does not have a concept of the UNIX UID or a GID; rather, … … 277 277 of producing a unique SID for each user and group. Samba generates a machine and a domain SID to which it 278 278 adds an RID that is calculated algorithmically from a base value that can be specified 279 in the <code class="filename">smb.conf</code> file, plus twice (2x) the UID or GID. This method is called “<span class="quote">algorithmic mapping</span>”.280 </p><p> 281 <a class="indexterm" name="id26 05564"></a>279 in the <code class="filename">smb.conf</code> file, plus twice (2x) the UID or GID. This method is called <span class="quote">“<span class="quote">algorithmic mapping</span>”</span>. 280 </p><p> 281 <a class="indexterm" name="id2611636"></a> 282 282 For example, if a user has a UID of 4321, and the algorithmic RID base has a value of 1000, the RID will 283 283 be <code class="literal">1000 + (2 x 4321) = 9642</code>. Thus, if the domain SID is … … 285 285 <code class="literal">S-1-5-21-89238497-92787123-12341112-9642</code>. 286 286 </p><p> 287 <a class="indexterm" name="id26 05596"></a>288 <a class="indexterm" name="id26 05602"></a>289 <a class="indexterm" name="id26 05609"></a>290 <a class="indexterm" name="id26 05616"></a>287 <a class="indexterm" name="id2611668"></a> 288 <a class="indexterm" name="id2611674"></a> 289 <a class="indexterm" name="id2611681"></a> 290 <a class="indexterm" name="id2611688"></a> 291 291 The foregoing type of SID is produced by Samba as an automatic function and is either produced on the fly 292 292 (as is the case when using a <em class="parameter"><code>passdb backend = [tdbsam | smbpasswd]</code></em>), or may be stored 293 293 as a permanent part of an account in an LDAP-based ldapsam. 294 294 </p><p> 295 <a class="indexterm" name="id26 05636"></a>296 <a class="indexterm" name="id26 05643"></a>297 <a class="indexterm" name="id26 05649"></a>298 <a class="indexterm" name="id26 05656"></a>299 <a class="indexterm" name="id26 05663"></a>300 <a class="indexterm" name="id26 05670"></a>301 <a class="indexterm" name="id26 05676"></a>302 <a class="indexterm" name="id26 05683"></a>303 <a class="indexterm" name="id26 05690"></a>295 <a class="indexterm" name="id2611708"></a> 296 <a class="indexterm" name="id2611715"></a> 297 <a class="indexterm" name="id2611721"></a> 298 <a class="indexterm" name="id2611728"></a> 299 <a class="indexterm" name="id2611735"></a> 300 <a class="indexterm" name="id2611742"></a> 301 <a class="indexterm" name="id2611748"></a> 302 <a class="indexterm" name="id2611755"></a> 303 <a class="indexterm" name="id2611762"></a> 304 304 ADS uses a directory schema that can be extended to accommodate additional 305 305 account attributes such as UIDs and GIDs. The installation of Microsoft Service for UNIX 3.5 will expand … … 307 307 through a snap-in module to the normal ADS account management MMC interface. 308 308 </p><p> 309 <a class="indexterm" name="id26 05706"></a>310 <a class="indexterm" name="id26 05713"></a>311 <a class="indexterm" name="id26 05720"></a>312 <a class="indexterm" name="id26 05726"></a>309 <a class="indexterm" name="id2611778"></a> 310 <a class="indexterm" name="id2611785"></a> 311 <a class="indexterm" name="id2611792"></a> 312 <a class="indexterm" name="id2611798"></a> 313 313 Security identifiers used within a domain must be managed to avoid conflict and to preserve itegrity. 314 314 In an NT4 domain context, the PDC manages the distribution of all security credentials to the backup 315 315 domain controllers (BDCs). At this time the only passdb backend for a Samba domain controller that is suitable 316 316 for such information is an LDAP backend. 317 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2605741"></a>Backup Domain Controller</h3></div></div></div><p>318 <a class="indexterm" name="id26 05749"></a>319 <a class="indexterm" name="id26 05756"></a>320 <a class="indexterm" name="id26 05763"></a>321 <a class="indexterm" name="id26 05770"></a>322 <a class="indexterm" name="id26 05777"></a>323 <a class="indexterm" name="id26 05784"></a>324 <a class="indexterm" name="id26 05790"></a>317 </p></div><div class="sect2" title="Backup Domain Controller"><div class="titlepage"><div><div><h3 class="title"><a name="id2611813"></a>Backup Domain Controller</h3></div></div></div><p> 318 <a class="indexterm" name="id2611821"></a> 319 <a class="indexterm" name="id2611828"></a> 320 <a class="indexterm" name="id2611835"></a> 321 <a class="indexterm" name="id2611842"></a> 322 <a class="indexterm" name="id2611849"></a> 323 <a class="indexterm" name="id2611856"></a> 324 <a class="indexterm" name="id2611862"></a> 325 325 BDCs have read-only access to security credentials that are stored in LDAP. 326 326 Changes in user or group account information are passed by the BDC to the PDC. Only the PDC can write … … 331 331 in the IDMAP backend. This means that it is is unsafe to use a slave (replicate) LDAP server with 332 332 the IDMAP facility. 333 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605813"></a>Examples of IDMAP Backend Usage</h2></div></div></div><p>334 <a class="indexterm" name="id26 05821"></a>335 <a class="indexterm" name="id26 05830"></a>336 <a class="indexterm" name="id26 05840"></a>337 <a class="indexterm" name="id26 05846"></a>338 <a class="indexterm" name="id26 05853"></a>333 </p></div></div><div class="sect1" title="Examples of IDMAP Backend Usage"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2611885"></a>Examples of IDMAP Backend Usage</h2></div></div></div><p> 334 <a class="indexterm" name="id2611893"></a> 335 <a class="indexterm" name="id2611902"></a> 336 <a class="indexterm" name="id2611912"></a> 337 <a class="indexterm" name="id2611918"></a> 338 <a class="indexterm" name="id2611925"></a> 339 339 Anyone who wishes to use <code class="literal">winbind</code> will find the following example configurations helpful. 340 340 Remember that in the majority of cases <code class="literal">winbind</code> is of primary interest for use with 341 341 domain member servers (DMSs) and domain member clients (DMCs). 342 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2605876"></a>Default Winbind TDB</h3></div></div></div><p>342 </p><div class="sect2" title="Default Winbind TDB"><div class="titlepage"><div><div><h3 class="title"><a name="id2611948"></a>Default Winbind TDB</h3></div></div></div><p> 343 343 Two common configurations are used: 344 </p><div class="itemizedlist"><ul type="disc"><li><p>344 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> 345 345 Networks that have an NT4 PDC (with or without BDCs) or a Samba PDC (with or without BDCs). 346 </p></li><li ><p>346 </p></li><li class="listitem"><p> 347 347 Networks that use MS Windows 200x ADS. 348 </p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2605900"></a>NT4-Style Domains (Includes Samba Domains)</h4></div></div></div><p>348 </p></li></ul></div><div class="sect3" title="NT4-Style Domains (Includes Samba Domains)"><div class="titlepage"><div><div><h4 class="title"><a name="id2611972"></a>NT4-Style Domains (Includes Samba Domains)</h4></div></div></div><p> 349 349 <a class="link" href="idmapper.html#idmapnt4dms" title="Example 14.1. NT4 Domain Member Server smb.conf">NT4 Domain Member Server smb.con</a> is a simple example of an NT4 DMS 350 350 <code class="filename">smb.conf</code> file that shows only the global section. 351 </p><div class="example"><a name="idmapnt4dms"></a><p class="title"><b>Example 14.1. NT4 Domain Member Server smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2605953"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2605965"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2605976"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2605988"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2606000"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2606012"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr></table></div></div><br class="example-break"><p>352 <a class="indexterm" name="id26 06027"></a>353 <a class="indexterm" name="id26 06034"></a>351 </p><div class="example"><a name="idmapnt4dms"></a><p class="title"><b>Example 14.1. NT4 Domain Member Server smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2612025"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2612037"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2612048"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2612060"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2612072"></a><em class="parameter"><code>template primary group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2612084"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr></table></div></div><br class="example-break"><p> 352 <a class="indexterm" name="id2612099"></a> 353 <a class="indexterm" name="id2612106"></a> 354 354 The use of <code class="literal">winbind</code> requires configuration of NSS. Edit the <code class="filename">/etc/nsswitch.conf</code> 355 355 so it includes the following entries: … … 366 366 </p><p> 367 367 The creation of the DMS requires the following steps: 368 </p><div class="procedure"><ol type="1"><li><p>368 </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> 369 369 Create or install an <code class="filename">smb.conf</code> file with the above configuration. 370 </p></li><li ><p>370 </p></li><li class="step" title="Step 2"><p> 371 371 Execute: 372 372 </p><pre class="screen"> … … 374 374 Joined domain MEGANET2. 375 375 </pre><p> 376 <a class="indexterm" name="id26 06103"></a>376 <a class="indexterm" name="id2612175"></a> 377 377 The success of the join can be confirmed with the following command: 378 378 </p><pre class="screen"> … … 381 381 </pre><p> 382 382 A failed join would report an error message like the following: 383 <a class="indexterm" name="id26 06125"></a>383 <a class="indexterm" name="id2612197"></a> 384 384 </p><pre class="screen"> 385 385 <code class="prompt">root# </code> net rpc testjoin … … 387 387 Join to domain 'MEGANET2' is not valid 388 388 </pre><p> 389 </p></li><li ><p>390 <a class="indexterm" name="id26 06151"></a>391 <a class="indexterm" name="id26 06158"></a>392 <a class="indexterm" name="id26 06165"></a>389 </p></li><li class="step" title="Step 3"><p> 390 <a class="indexterm" name="id2612223"></a> 391 <a class="indexterm" name="id2612230"></a> 392 <a class="indexterm" name="id2612237"></a> 393 393 Start the <code class="literal">nmbd, winbind,</code> and <code class="literal">smbd</code> daemons in the order shown. 394 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2606188"></a>ADS Domains</h4></div></div></div><p>395 <a class="indexterm" name="id26 06196"></a>396 <a class="indexterm" name="id26 06202"></a>394 </p></li></ol></div></div><div class="sect3" title="ADS Domains"><div class="titlepage"><div><div><h4 class="title"><a name="id2612260"></a>ADS Domains</h4></div></div></div><p> 395 <a class="indexterm" name="id2612268"></a> 396 <a class="indexterm" name="id2612274"></a> 397 397 The procedure for joining an ADS domain is similar to the NT4 domain join, except the <code class="filename">smb.conf</code> file 398 398 will have the contents shown in <a class="link" href="idmapper.html#idmapadsdms" title="Example 14.2. ADS Domain Member Server smb.conf">ADS Domain Member Server smb.conf</a> 399 </p><div class="example"><a name="idmapadsdms"></a><p class="title"><b>Example 14.2. ADS Domain Member Server smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2606254"></a><em class="parameter"><code>workgroup = BUTTERNET</code></em></td></tr><tr><td><a class="indexterm" name="id2606266"></a><em class="parameter"><code>netbios name = GARGOYLE</code></em></td></tr><tr><td><a class="indexterm" name="id2606278"></a><em class="parameter"><code>realm = BUTTERNET.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id2606289"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2606301"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2606313"></a><em class="parameter"><code>idmap uid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606325"></a><em class="parameter"><code>idmap gid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606336"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606348"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606360"></a><em class="parameter"><code>printer admin = "BUTTERNET\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p>400 <a class="indexterm" name="id26 06376"></a>401 <a class="indexterm" name="id26 06383"></a>402 <a class="indexterm" name="id26 06390"></a>403 <a class="indexterm" name="id26 06396"></a>404 <a class="indexterm" name="id26 06403"></a>405 <a class="indexterm" name="id26 06410"></a>406 <a class="indexterm" name="id26 06417"></a>399 </p><div class="example"><a name="idmapadsdms"></a><p class="title"><b>Example 14.2. ADS Domain Member Server smb.conf</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2612326"></a><em class="parameter"><code>workgroup = BUTTERNET</code></em></td></tr><tr><td><a class="indexterm" name="id2612338"></a><em class="parameter"><code>netbios name = GARGOYLE</code></em></td></tr><tr><td><a class="indexterm" name="id2612350"></a><em class="parameter"><code>realm = BUTTERNET.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id2612361"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2612373"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2612385"></a><em class="parameter"><code>idmap uid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id2612397"></a><em class="parameter"><code>idmap gid = 500-10000000</code></em></td></tr><tr><td><a class="indexterm" name="id2612408"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2612420"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2612432"></a><em class="parameter"><code>printer admin = "BUTTERNET\Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> 400 <a class="indexterm" name="id2612448"></a> 401 <a class="indexterm" name="id2612455"></a> 402 <a class="indexterm" name="id2612462"></a> 403 <a class="indexterm" name="id2612468"></a> 404 <a class="indexterm" name="id2612475"></a> 405 <a class="indexterm" name="id2612482"></a> 406 <a class="indexterm" name="id2612489"></a> 407 407 ADS DMS operation requires use of kerberos (KRB). For this to work, the <code class="filename">krb5.conf</code> 408 408 must be configured. The exact requirements depends on which version of MIT or Heimdal Kerberos is being … … 411 411 </p><p> 412 412 The creation of the DMS requires the following steps: 413 </p><div class="procedure"><ol type="1"><li><p>413 </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> 414 414 Create or install an <code class="filename">smb.conf</code> file with the above configuration. 415 </p></li><li ><p>415 </p></li><li class="step" title="Step 2"><p> 416 416 Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above. 417 </p></li><li ><p>417 </p></li><li class="step" title="Step 3"><p> 418 418 Execute: 419 <a class="indexterm" name="id26 06475"></a>419 <a class="indexterm" name="id2612547"></a> 420 420 </p><pre class="screen"> 421 421 <code class="prompt">root# </code> net ads join -UAdministrator%password … … 437 437 Join to domain is not valid 438 438 </pre><p> 439 <a class="indexterm" name="id26 06532"></a>440 <a class="indexterm" name="id26 06538"></a>441 <a class="indexterm" name="id26 06545"></a>442 <a class="indexterm" name="id26 06552"></a>439 <a class="indexterm" name="id2612604"></a> 440 <a class="indexterm" name="id2612610"></a> 441 <a class="indexterm" name="id2612617"></a> 442 <a class="indexterm" name="id2612624"></a> 443 443 The specific error message may differ from the above because it depends on the type of failure that 444 444 may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the test, 445 445 and then examine the log files produced to identify the nature of the failure. 446 </p></li><li ><p>446 </p></li><li class="step" title="Step 4"><p> 447 447 Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. 448 </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2606598"></a>IDMAP_RID with Winbind</h3></div></div></div><p>449 <a class="indexterm" name="id26 06606"></a>450 <a class="indexterm" name="id26 06613"></a>451 <a class="indexterm" name="id26 06620"></a>452 <a class="indexterm" name="id26 06626"></a>448 </p></li></ol></div></div></div><div class="sect2" title="IDMAP_RID with Winbind"><div class="titlepage"><div><div><h3 class="title"><a name="id2612670"></a>IDMAP_RID with Winbind</h3></div></div></div><p> 449 <a class="indexterm" name="id2612678"></a> 450 <a class="indexterm" name="id2612685"></a> 451 <a class="indexterm" name="id2612692"></a> 452 <a class="indexterm" name="id2612698"></a> 453 453 The <code class="literal">idmap_rid</code> facility is a new tool that, unlike native winbind, creates a 454 454 predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method … … 457 457 is not compatible with trusted domain implementations. 458 458 </p><p> 459 <a class="indexterm" name="id26 06649"></a>460 <a class="indexterm" name="id26 06656"></a>461 <a class="indexterm" name="id26 06663"></a>462 <a class="indexterm" name="id26 06670"></a>459 <a class="indexterm" name="id2612721"></a> 460 <a class="indexterm" name="id2612728"></a> 461 <a class="indexterm" name="id2612735"></a> 462 <a class="indexterm" name="id2612742"></a> 463 463 This alternate method of SID to UID/GID mapping can be achieved using the idmap_rid 464 464 plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the 465 465 RID to a base value specified. This utility requires that the parameter 466 “<span class="quote">allow trusted domains = No</span>”be specified, as it is not compatible466 <span class="quote">“<span class="quote">allow trusted domains = No</span>”</span> be specified, as it is not compatible 467 467 with multiple domain environments. The <em class="parameter"><code>idmap uid</code></em> and 468 468 <em class="parameter"><code>idmap gid</code></em> ranges must be specified. 469 469 </p><p> 470 <a class="indexterm" name="id26 06702"></a>471 <a class="indexterm" name="id26 06709"></a>470 <a class="indexterm" name="id2612774"></a> 471 <a class="indexterm" name="id2612781"></a> 472 472 The idmap_rid facility can be used both for NT4/Samba-style domains and Active Directory. 473 473 To use this with an NT4 domain, do not include the <em class="parameter"><code>realm</code></em> parameter; additionally, the … … 476 476 An example <code class="filename">smb.conf</code> file for and ADS domain environment is shown in <a class="link" href="idmapper.html#idmapadsridDMS" title="Example 14.3. ADS Domain Member smb.conf using idmap_rid">ADS 477 477 Domain Member smb.conf using idmap_rid</a>. 478 </p><div class="example"><a name="idmapadsridDMS"></a><p class="title"><b>Example 14.3. ADS Domain Member smb.conf using idmap_rid</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2606776"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id2606788"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id2606800"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2606811"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id2606823"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2606835"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id2606847"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606859"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606871"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2606883"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2606895"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606907"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id2606919"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id2606930"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606942"></a><em class="parameter"><code>printer admin = "Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p>479 <a class="indexterm" name="id26 06958"></a>480 <a class="indexterm" name="id26 06965"></a>481 <a class="indexterm" name="id26 06972"></a>482 <a class="indexterm" name="id26 06978"></a>478 </p><div class="example"><a name="idmapadsridDMS"></a><p class="title"><b>Example 14.3. ADS Domain Member smb.conf using idmap_rid</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2612848"></a><em class="parameter"><code>workgroup = KPAK</code></em></td></tr><tr><td><a class="indexterm" name="id2612860"></a><em class="parameter"><code>netbios name = BIGJOE</code></em></td></tr><tr><td><a class="indexterm" name="id2612872"></a><em class="parameter"><code>realm = CORP.KPAK.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2612883"></a><em class="parameter"><code>server string = Office Server</code></em></td></tr><tr><td><a class="indexterm" name="id2612895"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2612907"></a><em class="parameter"><code>allow trusted domains = No</code></em></td></tr><tr><td><a class="indexterm" name="id2612919"></a><em class="parameter"><code>idmap backend = idmap_rid:KPAK=500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2612931"></a><em class="parameter"><code>idmap uid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2612943"></a><em class="parameter"><code>idmap gid = 500-100000000</code></em></td></tr><tr><td><a class="indexterm" name="id2612955"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2612967"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2612979"></a><em class="parameter"><code>winbind enum users = No</code></em></td></tr><tr><td><a class="indexterm" name="id2612991"></a><em class="parameter"><code>winbind enum groups = No</code></em></td></tr><tr><td><a class="indexterm" name="id2613002"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2613014"></a><em class="parameter"><code>printer admin = "Domain Admins"</code></em></td></tr></table></div></div><br class="example-break"><p> 479 <a class="indexterm" name="id2613030"></a> 480 <a class="indexterm" name="id2613037"></a> 481 <a class="indexterm" name="id2613044"></a> 482 <a class="indexterm" name="id2613050"></a> 483 483 In a large domain with many users it is imperative to disable enumeration of users and groups. 484 484 For example, at a site that has 22,000 users in Active Directory the winbind-based user and … … 489 489 commands. It will be possible to perform the lookup for individual users, as shown in the following procedure. 490 490 </p><p> 491 <a class="indexterm" name="id26 07016"></a>492 <a class="indexterm" name="id26 07022"></a>491 <a class="indexterm" name="id2613088"></a> 492 <a class="indexterm" name="id2613094"></a> 493 493 The use of this tool requires configuration of NSS as per the native use of winbind. Edit the 494 494 <code class="filename">/etc/nsswitch.conf</code> so it has the following parameters: … … 504 504 </p><p> 505 505 The following procedure can use the idmap_rid facility: 506 </p><div class="procedure"><ol type="1"><li><p>506 </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> 507 507 Create or install an <code class="filename">smb.conf</code> file with the above configuration. 508 </p></li><li ><p>508 </p></li><li class="step" title="Step 2"><p> 509 509 Edit the <code class="filename">/etc/nsswitch.conf</code> file as shown above. 510 </p></li><li ><p>510 </p></li><li class="step" title="Step 3"><p> 511 511 Execute: 512 512 </p><pre class="screen"> … … 516 516 </pre><p> 517 517 </p><p> 518 <a class="indexterm" name="id26 07102"></a>518 <a class="indexterm" name="id2613174"></a> 519 519 An invalid or failed join can be detected by executing: 520 520 </p><pre class="screen"> … … 528 528 may have occurred. Increase the <em class="parameter"><code>log level</code></em> to 10, repeat the test, 529 529 and then examine the log files produced to identify the nature of the failure. 530 </p></li><li ><p>530 </p></li><li class="step" title="Step 4"><p> 531 531 Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. 532 </p></li><li ><p>532 </p></li><li class="step" title="Step 5"><p> 533 533 Validate the operation of this configuration by executing: 534 <a class="indexterm" name="id26 07167"></a>534 <a class="indexterm" name="id2613239"></a> 535 535 </p><pre class="screen"> 536 536 <code class="prompt">root# </code> getent passwd administrator 537 537 administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash 538 538 </pre><p> 539 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2607189"></a>IDMAP Storage in LDAP Using Winbind</h3></div></div></div><p>540 <a class="indexterm" name="id26 07197"></a>541 <a class="indexterm" name="id26 07204"></a>539 </p></li></ol></div></div><div class="sect2" title="IDMAP Storage in LDAP Using Winbind"><div class="titlepage"><div><div><h3 class="title"><a name="id2613261"></a>IDMAP Storage in LDAP Using Winbind</h3></div></div></div><p> 540 <a class="indexterm" name="id2613269"></a> 541 <a class="indexterm" name="id2613276"></a> 542 542 The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains and 543 543 ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any … … 548 548 An example is for an ADS domain is shown in <a class="link" href="idmapper.html#idmapldapDMS" title="Example 14.4. ADS Domain Member Server using LDAP">ADS Domain Member Server using 549 549 LDAP</a>. 550 </p><div class="example"><a name="idmapldapDMS"></a><p class="title"><b>Example 14.4. ADS Domain Member Server using LDAP</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2607257"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id2607269"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id2607281"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607293"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2607305"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2607316"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id2607328"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607341"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2607353"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607364"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id2607377"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607388"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607400"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2607412"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p>551 <a class="indexterm" name="id26 07427"></a>550 </p><div class="example"><a name="idmapldapDMS"></a><p class="title"><b>Example 14.4. ADS Domain Member Server using LDAP</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2613329"></a><em class="parameter"><code>workgroup = SNOWSHOW</code></em></td></tr><tr><td><a class="indexterm" name="id2613341"></a><em class="parameter"><code>netbios name = GOODELF</code></em></td></tr><tr><td><a class="indexterm" name="id2613353"></a><em class="parameter"><code>realm = SNOWSHOW.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2613365"></a><em class="parameter"><code>server string = Samba Server</code></em></td></tr><tr><td><a class="indexterm" name="id2613377"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2613388"></a><em class="parameter"><code>log level = 1 ads:10 auth:10 sam:10 rpc:10</code></em></td></tr><tr><td><a class="indexterm" name="id2613400"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2613413"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2613425"></a><em class="parameter"><code>ldap suffix = dc=SNOWSHOW,dc=COM</code></em></td></tr><tr><td><a class="indexterm" name="id2613436"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap.snowshow.com</code></em></td></tr><tr><td><a class="indexterm" name="id2613449"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2613460"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2613472"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2613484"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> 551 <a class="indexterm" name="id2613499"></a> 552 552 In the case of an NT4 or Samba-3-style domain the <em class="parameter"><code>realm</code></em> is not used, and the 553 553 command used to join the domain is <code class="literal">net rpc join</code>. The above example also demonstrates 554 554 advanced error-reporting techniques that are documented in <a class="link" href="bugreport.html#dbglvl" title="Debug Levels">Reporting Bugs</a>. 555 555 </p><p> 556 <a class="indexterm" name="id26 07461"></a>557 <a class="indexterm" name="id26 07468"></a>558 <a class="indexterm" name="id26 07475"></a>556 <a class="indexterm" name="id2613533"></a> 557 <a class="indexterm" name="id2613540"></a> 558 <a class="indexterm" name="id2613547"></a> 559 559 Where MIT kerberos is installed (version 1.3.4 or later), edit the <code class="filename">/etc/krb5.conf</code> 560 560 file so it has the following contents: … … 595 595 .snowshow.com = SNOWSHOW.COM 596 596 </pre><p> 597 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>597 </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 598 598 Samba cannot use the Heimdal libraries if there is no <code class="filename">/etc/krb5.conf</code> file. 599 599 So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no … … 611 611 </pre><p> 612 612 </p><p> 613 <a class="indexterm" name="id26 07558"></a>614 <a class="indexterm" name="id26 07565"></a>613 <a class="indexterm" name="id2613630"></a> 614 <a class="indexterm" name="id2613637"></a> 615 615 You will need the <a class="ulink" href="http://www.padl.com" target="_top">PADL</a> <code class="literal">nss_ldap</code> 616 616 tool set for this solution. Configure the <code class="filename">/etc/ldap.conf</code> file so it has … … 631 631 </p><p> 632 632 The following procedure may be followed to effect a working configuration: 633 </p><div class="procedure"><ol type="1"><li><p>633 </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> 634 634 Configure the <code class="filename">smb.conf</code> file as shown above. 635 </p></li><li ><p>635 </p></li><li class="step" title="Step 2"><p> 636 636 Create the <code class="filename">/etc/krb5.conf</code> file as shown above. 637 </p></li><li ><p>637 </p></li><li class="step" title="Step 3"><p> 638 638 Configure the <code class="filename">/etc/nsswitch.conf</code> file as shown above. 639 </p></li><li ><p>639 </p></li><li class="step" title="Step 4"><p> 640 640 Download, build, and install the PADL nss_ldap tool set. Configure the 641 641 <code class="filename">/etc/ldap.conf</code> file as shown above. 642 </p></li><li ><p>642 </p></li><li class="step" title="Step 5"><p> 643 643 Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP, 644 644 shown in the following LDIF file: … … 660 660 ou: idmap 661 661 </pre><p> 662 </p></li><li ><p>662 </p></li><li class="step" title="Step 6"><p> 663 663 Execute the command to join the Samba DMS to the ADS domain as shown here: 664 664 </p><pre class="screen"> … … 667 667 Joined 'GOODELF' to realm 'SNOWSHOW.COM' 668 668 </pre><p> 669 </p></li><li ><p>669 </p></li><li class="step" title="Step 7"><p> 670 670 Store the LDAP server access password in the Samba <code class="filename">secrets.tdb</code> file as follows: 671 671 </p><pre class="screen"> 672 672 <code class="prompt">root# </code> smbpasswd -w not24get 673 673 </pre><p> 674 </p></li><li ><p>674 </p></li><li class="step" title="Step 8"><p> 675 675 Start the <code class="literal">nmbd</code>, <code class="literal">winbind</code>, and <code class="literal">smbd</code> daemons in the order shown. 676 676 </p></li></ol></div><p> 677 <a class="indexterm" name="id26 07761"></a>677 <a class="indexterm" name="id2613833"></a> 678 678 Follow the diagnositic procedures shown earlier in this chapter to identify success or failure of the join. 679 679 In many cases a failure is indicated by a silent return to the command prompt with no indication of the 680 680 reason for failure. 681 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2607774"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h3></div></div></div><p>682 <a class="indexterm" name="id26 07783"></a>683 <a class="indexterm" name="id26 07789"></a>681 </p></div><div class="sect2" title="IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension"><div class="titlepage"><div><div><h3 class="title"><a name="id2613846"></a>IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension</h3></div></div></div><p> 682 <a class="indexterm" name="id2613855"></a> 683 <a class="indexterm" name="id2613861"></a> 684 684 The use of this method is messy. The information provided in the following is for guidance only 685 685 and is very definitely not complete. This method does work; it is used in a number of large sites … … 688 688 An example <code class="filename">smb.conf</code> file is shown in <a class="link" href="idmapper.html#idmaprfc2307" title="Example 14.5. ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS">ADS Domain Member Server using 689 689 RFC2307bis Schema Extension Date via NSS</a>. 690 </p><div class="example"><a name="idmaprfc2307"></a><p class="title"><b>Example 14.5. ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2607849"></a><em class="parameter"><code>workgroup = BOBBY</code></em></td></tr><tr><td><a class="indexterm" name="id2607861"></a><em class="parameter"><code>realm = BOBBY.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2607872"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2607884"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607896"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2607907"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2607919"></a><em class="parameter"><code>winbind cache time = 5</code></em></td></tr><tr><td><a class="indexterm" name="id2607931"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607943"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607956"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p>691 <a class="indexterm" name="id26 07971"></a>690 </p><div class="example"><a name="idmaprfc2307"></a><p class="title"><b>Example 14.5. ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2613921"></a><em class="parameter"><code>workgroup = BOBBY</code></em></td></tr><tr><td><a class="indexterm" name="id2613933"></a><em class="parameter"><code>realm = BOBBY.COM</code></em></td></tr><tr><td><a class="indexterm" name="id2613944"></a><em class="parameter"><code>security = ADS</code></em></td></tr><tr><td><a class="indexterm" name="id2613956"></a><em class="parameter"><code>idmap uid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2613968"></a><em class="parameter"><code>idmap gid = 150000-550000</code></em></td></tr><tr><td><a class="indexterm" name="id2613979"></a><em class="parameter"><code>template shell = /bin/bash</code></em></td></tr><tr><td><a class="indexterm" name="id2613991"></a><em class="parameter"><code>winbind cache time = 5</code></em></td></tr><tr><td><a class="indexterm" name="id2614003"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2614015"></a><em class="parameter"><code>winbind trusted domains only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2614028"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr></table></div></div><br class="example-break"><p> 691 <a class="indexterm" name="id2614043"></a> 692 692 The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary 693 693 to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the … … 698 698 </pre><p> 699 699 </p><p> 700 <a class="indexterm" name="id26 07991"></a>700 <a class="indexterm" name="id2614063"></a> 701 701 The following <code class="filename">/etc/nsswitch.conf</code> file contents are required: 702 702 </p><pre class="screen"> … … 710 710 </pre><p> 711 711 </p><p> 712 <a class="indexterm" name="id26 08015"></a>713 <a class="indexterm" name="id26 08022"></a>712 <a class="indexterm" name="id2614087"></a> 713 <a class="indexterm" name="id2614094"></a> 714 714 The <code class="filename">/etc/ldap.conf</code> file must be configured also. Refer to the PADL documentation 715 715 and source code for nss_ldap to specific instructions. … … 717 717 The next step involves preparation of the ADS schema. This is briefly discussed in the remaining 718 718 part of this chapter. 719 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2608044"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h4></div></div></div><p>720 <a class="indexterm" name="id26 08052"></a>719 </p><div class="sect3" title="IDMAP, Active Directory, and MS Services for UNIX 3.5"><div class="titlepage"><div><div><h4 class="title"><a name="id2614116"></a>IDMAP, Active Directory, and MS Services for UNIX 3.5</h4></div></div></div><p> 720 <a class="indexterm" name="id2614124"></a> 721 721 The Microsoft Windows Service for UNIX (SFU) version 3.5 is available for free 722 722 <a class="ulink" href="http://www.microsoft.com/windows/sfu/" target="_top">download</a> 723 723 from the Microsoft Web site. You will need to download this tool and install it following 724 724 Microsoft instructions. 725 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2608071"></a>IDMAP, Active Directory and AD4UNIX</h4></div></div></div><p>725 </p></div><div class="sect3" title="IDMAP, Active Directory and AD4UNIX"><div class="titlepage"><div><div><h4 class="title"><a name="id2614143"></a>IDMAP, Active Directory and AD4UNIX</h4></div></div></div><p> 726 726 Instructions for obtaining and installing the AD4UNIX tool set can be found from the 727 727 <a class="ulink" href="http://www.geekcomix.com/cgi-bin/classnotes/wiki.pl?LDAP01/An_Alternative_Approach" target="_top"> 728 728 Geekcomix</a> Web site. 729 </p></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><code class="literal"><sup>[<a name="ftn.id26 04377" href="#id2604377" class="literal">4</a>] </sup>DOMINICUS\FJones</code><code class="literal">FRANCISCUS\FJones</code><code class="literal">FJones</code></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NetCommand.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="rights.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. Remote and Local Management: The Net Command </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 15. User Rights and Privileges</td></tr></table></div></body></html>729 </p></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><code class="literal"><sup>[<a name="ftn.id2610444" href="#id2610444" class="literal">4</a>] </sup>DOMINICUS\FJones</code><code class="literal">FRANCISCUS\FJones</code><code class="literal">FJones</code></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NetCommand.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="rights.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. Remote and Local Management: The Net Command </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 15. User Rights and Privileges</td></tr></table></div></body></html>
Note:
See TracChangeset
for help on using the changeset viewer.
