[OpenIndiana-discuss] ActiveDirectory UID mapping (netatalk)

Jim Klimov jimklimov at cos.ru
Tue Aug 14 11:48:54 UTC 2012


I am not sure if all of my comment is true and valid, but *I think*
that SAMBA is designed as a more interoperable piece of software -
being a userland program, it is more extensible. And likely it can
implement what you desire from an OpenSolaris server in a more
consistent and comfortable way than kernel CIFS. I am not trying
to argue for one or another, each has its benefits and quirks...

So here goes:

I think you can add programmatic (scripted) hooks to register new
users on the fileserver, i.e. by virtue of them accessing their
homes, which don't exist at the moment, but the login attempt
(to MSAD via KRB/NTLM integration) succeeds - which, if works,
would give you static individual unique POSIX UIDs. It is up to
you (and your PAM modules) - where that info would be stored,
in the local FS (/etc/passwd, /etc/smbpassdw), or in some LDAP
service or another database.

I've also read that SAMBA has a module and settings to enable
support of ZFS/NFSv4 ACLs, so you don't lose much on this front.
If I read those pages correctly, these are the same ACLs stored
on the ZFS pool, so they migrate along to a failover server -
if that's what you implied.

Also SAMBA does enable your shared hierarchical datasets to seem
like a single share, while it is tricky (not implemented) with
many published versions of kernel CIFS server (each FS ID is
published separately, and automatic submounts are not offered).
I recall there were some works on remedying this. There are
several generations of Samba modules for Shadow-Copies support
with ZFS snapshots.

For various tricks (and bugs) with Samba and ZFS integration see
for example
http://www.edplese.com/samba-with-zfs.html
https://bugzilla.samba.org/show_bug.cgi?id=8467
...and google around for particular direct questions ;)

It is also possible to hook other integratable software to SAMBA
shares (like virus-scanners, document format converters and stuff)
while it may be more tricky with kernel CIFS (there are provisions
for virus-scanning, but I haven't seen much more).

For the deployments I've seen, where control over corporate
directory is available (or both AD and LDAP are provided and
synchronized), the kernel CIFS was sufficient. I am not sure
how much it is abused in terms of all available functionality,
but it did not strike the limitations so that those people
would require to go back to Samba. YMMV ;)

HTH,
//Jim Klimov

2012-08-13 21:11, Günther Alka пишет:
> with SAMBA and winbind you may loose:
>
> - snaps via Windows previous version
> - Windows compatible ntfs4 ACL (only Posix ACL ?)
> - SMB as a ZFS property
> - interoperability with NFS4
> - movable pools that keep ACL intact
> - performance, kernel based CIFS server is mostly faster
> - CIFS is managed by Illumos, not a third party product that cares mostly about Linux
> - napp-it integration
>
>  From Windows and interoperability view CIFS is much better.
> A minimal solution may be using at least the UID/GID provided by idmap for
> already created AD users, optionally add a SID->UID/GID entry in this database.
>
> In this case, you do not write proper ACL but use at least the same UID/GID like CIFS
> I have not tried if CIFS is using the proper SID via idmap when there is only a UID/GID entry in files.




More information about the OpenIndiana-discuss mailing list