Feature changed by: Todd R (TheBlackCat) Feature #308368, revision 3 Title: add winbind idmap feature to "Windows Domain Membership" Yast applet openSUSE-11.3: Unconfirmed Priority Requester: Important Requested by: Di Pe (dipe) Partner organization: openSUSE.org Description: The "Windows Domain Membership" Yast applet should have a feature that allows winbind to pull the uid/gid infomation from ActiveDirectory (attributes uidNumber and gidNumber) instead of using a local counter or TDB. Besides uid/gid the shell (loginShell) and the home directory (unixHomeDirectory) can also be pulled from Active Directory. A standard smb.conf for a Linux box that is joined to ActiveDirectory via winbind looks like this: [global] workgroup = XXXXX passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No security = ADS idmap gid = 2000-4999 idmap uid = 2000-4999 realm = XXXXX.ORG template homedir = /home/%U template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes if winbind has the ipmap feature enabled for Active Directory, smb.conf looks like this (tested configuration) [global] workgroup = XXXXX passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No security = ADS idmap gid = 2000-4999 idmap uid = 2000-4999 realm = XXXXX.ORG template homedir = /home/%U template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes ;log level = 3 winbind:5 idmap:5 winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 winbind use default domain = yes ;idmap domains = XXXXX #not needed in latest samba idmap config XXXXX:cache time = 1800 idmap config XXXXX:range = 5000-65000 idmap config XXXXX:backend = ad idmap config XXXXX:schema_mode = rfc2307 idmap config XXXXX:default = yes schema_mode can either be 'sfu' or 'rfc2307'. rfc2307 is known by most administrators as "Windows 2003 R2" schema. In the future "Windows 2003 R2 (or newer)" should be the default schema. 'sfu' could be called "Legacy schema (sfu)" This proposal could even be the default setup since the unix LDAP attributes in Active Directory are ignored if they are not populated. Business case (Partner benefit): openSUSE.org: This feature allows for centralized uid/gid management which is essential if hundreds or thousands of computers are used in an enterprise network, particularly if nfs and cifs are used on multiple file servers. (see http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html) http://www.likewise.com/ seems to offer an enhanced version of this feature which strongly indicates that there is a certain demand for it. more details: http://samba.org/~obnox/presentations/sambaXP-2009/sambaxp-2009-talk-obnox-s... + Discussion: + #1: Todd R (theblackcat) (2010-11-15 19:25:49) + This isn't just required for management, the network backup system we + use requires that the uid and gid on the computer matches the central + uid and gid system. This makes it very hard to do backups. -- openSUSE Feature: https://features.opensuse.org/308368