Bug 1759 - Samba and SFU
Samba and SFU
Status: CLOSED LATER
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.7
All All
: P3 enhancement
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-14 11:32 UTC by Thomas Mullaly
Modified: 2005-07-04 04:36 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Mullaly 2004-09-14 11:32:44 UTC
Hi this is a feature request, 

I was wondering if you could add support for Microsoft's SFU schema changes.  

I'm running smaba in ADS mode.  It works great, you've done a wonderfull job, 
but there's one more thing I need.  I am looking for a way to keep the UID's 
and GID's the same on every samba machine.  I tried using the LDAP write back 
way (using an OU called IDmap) but it hasn't worked for me.  I'm running 
Active Directory 2003.  

Anyway, my point is that it would be nice if their were a config entry that I 
could add to smb.conf that I could specifiy where the uid and gid come from.  
Being that when I installed Microsoft's Services for Unix, it made the schema 
changes to include uid, gid, home directory, and shell.  Since my users 
already have the schema entries needed, I wish I could just tell winbind to 
look for a specific attribute in in the schema.

Is this something you would consider including?
Comment 1 Buchan Milne 2004-09-29 00:08:21 UTC
1)idmap_ldap works (at least against openldap). Since the most common reason for
wanting to have consistent uid's/gid's between winbind machines is the use of
NFS, setting up openldap for idmap should not be excessive ....

2)If you have SFU, you can do authentication to AD without winbind (assuming
your current winbind clients are not serving files or printers to windows
clients), using Kerberos and LDAP.

3)PADL has a plugin which apparently does what you want, you can find it in
xad_oss_plugins on http://www.padl.com/download/
Comment 2 Thomas Mullaly 2004-09-29 07:30:56 UTC
I'll take that as a "NO"

Comment 3 Guenther Deschner 2004-09-29 08:13:38 UTC
Dont be disappointed too fast :)

I have an (yet unfinished patch) that makes some changes to PADL's
idmap_ad-Plugin and integrates SFU-Accounts better into the
winbindd-architecture (honoring homepath, uidNumbers, etc.).

Once I'll finish it...
Comment 4 Gerald (Jerry) Carter 2005-02-17 09:42:48 UTC
guether's pet project :-)  CLosing out as later.
Comment 5 Guenther Deschner 2005-07-04 04:36:13 UTC
Fixed in latest subversion.

Could you please try "winbind enable sfu = yes" 
to let winbindd in "security = ads" retrieve homedir and loginshell from ADS.

(Note that the parameter name will change in the next release, so watch the
WHATSNEW.TXT-file).

If you also want to retrieve uid and gid from ADS then use 
"idmap backend = ad" in addition.

Please let us know if that works for you