From e19d9787c669c16e33c099f566e0b17b386ed77f Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 27 May 2005 23:07:33 +0000 Subject: [PATCH] Progress update. --- docs/Samba-Guide/SBE-AddingUNIXClients.xml | 148 +++++++++++------------------ 1 file changed, 55 insertions(+), 93 deletions(-) diff --git a/docs/Samba-Guide/SBE-AddingUNIXClients.xml b/docs/Samba-Guide/SBE-AddingUNIXClients.xml index 646e0ecd20d..0135be8a264 100644 --- a/docs/Samba-Guide/SBE-AddingUNIXClients.xml +++ b/docs/Samba-Guide/SBE-AddingUNIXClients.xml @@ -78,9 +78,8 @@ Dissection and Discussion - - winbind - + + winbind Recent Samba mailing-list activity is witness to how many sites are using winbind. Some have no trouble at all with it, yet to others the problems seem insurmountable. Periodically there are complaints concerning an inability to achieve identical user and group IDs between Windows and UNIX environments. @@ -101,42 +100,29 @@ the immediate technical problem, but also can understand how needs may change. - - integrate - + + integrate There are a few facts we should note when dealing with the question of how best to integrate UNIX/Linux clients and servers into a Windows networking environment: - - Domain Controller - - authoritative - - accounts - authoritative - - PDC - - BDC - + + Domain Controller + authoritative + accountsauthoritative + PDC + BDC A domain controller (PDC or BDC) is always authoritative for all accounts in its Domain. This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs to the same values that the PDC resolved them to. - - local accounts - - Domain Member - authoritative - local accounts - - Domain accounts - - winbindd - + + local accounts + Domain Memberauthoritativelocal accounts + Domain accounts + winbindd A domain member can be authoritative for local accounts, but is never authoritative for domain accounts. If a user is accessing a domain member server and that user's account is not known locally, the domain member server must resolve the identity of that user @@ -147,45 +133,34 @@ Samba, when running on a domain member server, can resolve user identities from a number of sources: + - - getpwnam - - getgrnam - - NSS - - LDAP - - NIS - + + getpwnam + getgrnam + NSS + LDAP + NIS By executing a system getpwnam() or getgrnam() call. On systems that support it, this utilizes the name service switch (NSS) facility to resolve names according to the configuration of the /etc/nsswitch.conf file. NSS can be configured to use LDAP, winbind, NIS, or local files. - - passdb backend - - PADL - - nss_ldap - + + passdb backend + PADL + nss_ldap Performing, via NSS, a direct LDAP search (where an LDAP passdb backend has been configured). This requires the use of the PADL nss_ldap tool (or equivalent). - - winbindd - - SID - - winbindd_idmap.tdb - - winbindd_cache.tdb - + + winbindd + SID + winbindd_idmap.tdb + winbindd_cache.tdb Directly by querying winbindd. The winbindd contacts a domain controller to attempt to resolve the identity of the user or group. It receives the Windows networking security identifier (SID) for that appropriate @@ -194,18 +169,14 @@ winbindd_cache.tdb files. - - idmap backend - - mapping - - If the parameter - ldap:ldap://myserver.domain + + idmap backend + mapping + If the parameter ldap:ldap://myserver.domain was specified and the LDAP server has been configured with a container in which it may store the IDMAP entries, all domain members may share a common mapping. - Irrespective of how &smb.conf; is configured, winbind creates and caches a local copy of @@ -465,36 +436,27 @@ All accounts in /etc/passwd or in /etc/group. - - NSS - - compat - - ldap - - nis - - nisplus - - hesiod - - ldap - - nss_ldap - - PADL Software - + + NSS + compat + ldap + nis + nisplus + hesiod + ldap + nss_ldap + PADL Software Resolution via NSS. On NSS-enabled systems, there is usually a facility to resolve IDs - via multiple methods. The methods typically include files, compat, db, ldap, - nis, nisplus, hesiod. When correctly installed, Samba adds to this list - the winbindd facility. The ldap facility is frequently the nss_ldap - tool provided by PADL Software. + via multiple methods. The methods typically include files, + compat, db, ldap, + nis, nisplus, hesiod. When + correctly installed, Samba adds to this list the winbindd facility. + The ldap facility is frequently the nss_ldap tool provided by PADL Software. - - Identity resolution - + + Identity resolution The diagram in demonstrates the relationship of Samba and system components that are involved in the identity resolution process where Samba is used as a domain member server within a Samba domain control network. @@ -719,7 +681,7 @@ Join to 'MEGANET2' failed. -Samba Domain Member in Samba Domain Control Context &smbmdash; &smb.conf; File +Samba Domain Member in Samba Domain Using LDAP &smbmdash; &smb.conf; File Global parameters LOCALE @@ -1018,7 +980,7 @@ MEGANET2+PIOps:x:10005: -Samba Domain Member Server &smb.conf; File for NT4 Domain +Samba Domain Member Server Using Winbind &smb.conf; File for NT4 Domain Global parameters LOCALE @@ -1110,7 +1072,7 @@ Joined domain MEGANET2. -Samba Domain Member Server &smb.conf; File for NT4 Domain +Samba Domain Member Server Using Local Accounts &smb.conf; File for NT4 Domain Global parameters LOCALE -- 2.11.4.GIT