From: Brian Kroth <bpkroth@gmail.com>
To: "Vinícius Ferrão" <viniciusferrao@cc.if.ufrj.br>
Cc: "gentoo-server@lists.gentoo.org" <gentoo-server@lists.gentoo.org>,
gregorcy <gregorcy@eng.utah.edu>
Subject: Re: [gentoo-server] Complete migration from Scientific Linux with new features (Samba+AD/Winbind)
Date: Mon, 31 Oct 2011 10:01:22 -0500 [thread overview]
Message-ID: <20111031150119.GH11848@gmail.com> (raw)
In-Reply-To: <97609D8B-333D-4519-A4AB-B781149963B0@cc.if.ufrj.br>
[-- Attachment #1: Type: text/plain, Size: 2036 bytes --]
Vinícius Ferrão <viniciusferrao@cc.if.ufrj.br> 2011-10-30 18:48:
> Hello Brian,
>
> Can you give-me some advices on how to implement this? I haven't installed UNIX Services for Windows. UID and GID is mapped through SAMBA at this moment.
I don't even think that that's necessary anymore (though I haven't dealt
with it personally in a while). My understanding was that the R2
version of Windows Server's AD schema just included the uidNumber,
gidNumber, homeDirectory, loginShell, etc. attributes in AD's ldap. You
could manage them through another tab on the user/group object
properties in mmc.
Past that it wasn't any more difficult than pointing your Linux hosts at
any other ldap. I think the only catch was that that AD wants a proxy
user to bind as in order to do the searches.
Brian
> On 30/10/2011, at 17:55, Brian Kroth <bpkroth@gmail.com> wrote:
>
>> gregorcy <gregorcy@eng.utah.edu> 2011-10-29 10:52:
>>> What's missing: OpenLDAP replication from AD? Is this possible? Is this
>>> needed? Since I want another machines (running Linux) to authenticate it
>>> will be a good idea only ONE machine get information from AD and
>>> everyone else authenticate natively on this Gentoo Machine.
>>>
>>> No this is not needed. If you are in a mixed environment (I think) it
>>> is much easier to just use AD as the one directory service and join all
>>> your linux boxes to it. As long as your idmap ranges match your users
>>> will have the same uid on all boxes.
>>
>> I agree with this except for the need to "join all your linux boxes". AD is really just ldap+kerberos. Most of the time you don't need the headache of kerberos and can just use the ldap component. Modern AD schemas include all the of necessary attributes support for having Linux clients talk to it directly for uid/gid mapping, which is much nicer since it avoids the complexity of any samba requirements when you don't need them (eg: mail, web, etc.).
>>
>> </cent></cent>
>>
>> Brian
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
next prev parent reply other threads:[~2011-10-31 15:02 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-29 16:05 [gentoo-server] Complete migration from Scientific Linux with new features (Samba+AD/Winbind) Vinícius Ferrão
2011-10-29 16:52 ` gregorcy
2011-10-30 19:55 ` Brian Kroth
2011-10-30 20:48 ` Vinícius Ferrão
2011-10-31 15:01 ` Brian Kroth [this message]
2011-11-01 19:05 ` Vinícius Ferrão
2011-11-01 19:11 ` gregorcy
2011-11-01 19:24 ` Vinícius Ferrão
2011-11-02 0:58 ` Brian Kroth
2011-11-03 1:00 ` Vinícius Ferrão
2011-11-03 1:27 ` Arturo 'Buanzo' Busleiman
2011-11-03 2:30 ` Brian Kroth
2011-10-29 19:21 ` Mișu Moldovan
2011-10-29 22:51 ` Vinícius Ferrão
2011-10-30 8:41 ` Mișu Moldovan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111031150119.GH11848@gmail.com \
--to=bpkroth@gmail.com \
--cc=gentoo-server@lists.gentoo.org \
--cc=gregorcy@eng.utah.edu \
--cc=viniciusferrao@cc.if.ufrj.br \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox