|
IDMAP Storage in LDAP Using Winbind
The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains and
ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any
standards-complying LDAP server can be used. It is therefore possible to deploy this IDMAP
configuration using the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM,
and so on.
An example is for an ADS domain is shown in
ADS Domain Member Server using
LDAP.
Example13.4.ADS Domain Member Server using LDAP
| # Global parameters |
| |
[global]
|
workgroup = SNOWSHOW
|
netbios name = GOODELF
|
realm = SNOWSHOW.COM
|
server string = Samba Server
|
security = ADS
|
log level = 1 ads:10 auth:10 sam:10 rpc:10
|
ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM
|
ldap idmap suffix = ou=Idmap
|
ldap suffix = dc=SNOWSHOW,dc=COM
|
idmap backend = ldap:ldap://ldap.snowshow.com
|
idmap uid = 150000-550000
|
idmap gid = 150000-550000
|
template shell = /bin/bash
|
winbind use default domain = Yes
|
In the case of an NT4 or Samba-3-style domain the
realm
is not used, and the
command used to join the domain is
net rpc join
. The above example also demonstrates
advanced error-reporting techniques that are documented in
Reporting Bugs.
Where MIT kerberos is installed (version 1.3.4 or later), edit the /etc/krb5.conf
file so it has the following contents:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SNOWSHOW.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Where Heimdal kerberos is installed, edit the /etc/krb5.conf
file so it is either empty (i.e., no contents) or it has the following contents:
[libdefaults]
default_realm = SNOWSHOW.COM
clockskew = 300
[realms]
SNOWSHOW.COM = {
kdc = ADSDC.SHOWSHOW.COM
}
[domain_realm]
.snowshow.com = SNOWSHOW.COM
|
