I'm planning on migrating a few of our Linux servers to use AD authentication via SAMBA/Winbind. Operating system will be openSUSE 11.3 x64. Our AD environment does not have UNIX extensions installed.
I've set up a server from scratch and it seems to be working great. openSUSE's installer did a great job of feeling out AD and setting all of the necessary configuration files. I did, however, set a few Winbind options myself. My working config:
[global]
workgroup = DOMAIN
passdb backend = tdbsam
map to guest = Bad User
include = /etc/samba/dhcp.conf
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = DOMAIN.INST.ORG
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
winbind use default domain = yes
wins support = No
Everything works. I can log in via my AD account either from the console or via SSH. I can also connect to my home directory via SAMBA using my AD credentials (I left the [homes] directive out).
I do have a few questions:
- By default, winbind & samba stores their configuration in TDB files. I notice there's an option to use an LDAP backend. Is it work the trouble to set up for a few servers?
- What are best practices for backing up & restoring the TDB files? I notice the tdbbackup command. Should I cron it? Use a different backup method?
- I notice UID/GID's are generated on a first-come/first-serve basis. I remember testing this before a year or so ago & my UID was some really large number like 1983745637. Why the difference? Any best practices for managing this type of UID/GID assignment? I do not plan on using NFS but it would be nice to have UID/GID's the same across systems just in case though it's not a dealbreaker if I can't.
I'd like to get some firsthand experience from sysadmins who have supported or are currently supporting similar setups. What should I look out for? What other best practices should I follow?
Also, I have evaluated Likewise and found that it didn't seem to like our environment very much. I would get long delays with logins & could not get it integrated with SAMBA. This setup works a lot better.
Thanks in advance...
Really, everything you have asked here and more can be answered by reading The Official Samba HOWTO and Reference Guide. It seems that most admins are not aware of its existence, but once they get ahold of it, most of the issues/mysteries/questions regarding Samba installs will simply be resolved. If there was a sage piece of advice I'd give to the Samba team, it would be to promote the HOWTO more often in public.
That being said, I'll try to give what little knowledge I have to you.
Define a few. If by few you mean less than 5-7, then TDB files are fine, but require a bit of TLC. If you're running an organization with 10's or 100's of servers, LDAP will save your sanity. DISCLAIMER: I've only had to run 2-3 Samba installations at a time, so I've not tried the LDAP-mapping setup.
As mentioned elsewhere, you can use tdbbackup when using a TDB back-end. Note that future Samba versions will change, as I believe they are looking at a different storage method in Samba 4. Using a cron job once a day probably wouldn't hurt, although you'll want to script it carefully to shut off and re-enable services before and after the script runs.
Go back and check your setting for
idmap gid
andidmap uid
on that installation. There were some vendor-supplied smb.conf files in the past that had weird mappings like that.For a stand-alone server, it wouldn't matter, because there is no real concern over sync'ing IDs. For an Active Directory setup, you'll want to stick to what is mapped via AD. For an LDAP setup, I believe there is a way you can manually specify the user ID.
If you really need this, I would look hard at manually mapping the users, which you can do by adding them one at a time, or look at using the LDAP backend. See the HOWTO for more info on it.