I'm planning on migrating a few of our Linux servers to use AD authentication via SAMBA/Winbind. Operating system will be openSUSE 11.3 x64. Our AD environment does not have UNIX extensions installed.
I've set up a server from scratch and it seems to be working great. openSUSE's installer did a great job of feeling out AD and setting all of the necessary configuration files. I did, however, set a few Winbind options myself. My working config:
[global]
workgroup = DOMAIN
passdb backend = tdbsam
map to guest = Bad User
include = /etc/samba/dhcp.conf
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = DOMAIN.INST.ORG
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
winbind use default domain = yes
wins support = No
Everything works. I can log in via my AD account either from the console or via SSH. I can also connect to my home directory via SAMBA using my AD credentials (I left the [homes] directive out).
I do have a few questions:
- By default, winbind & samba stores their configuration in TDB files. I notice there's an option to use an LDAP backend. Is it work the trouble to set up for a few servers?
- What are best practices for backing up & restoring the TDB files? I notice the tdbbackup command. Should I cron it? Use a different backup method?
- I notice UID/GID's are generated on a first-come/first-serve basis. I remember testing this before a year or so ago & my UID was some really large number like 1983745637. Why the difference? Any best practices for managing this type of UID/GID assignment? I do not plan on using NFS but it would be nice to have UID/GID's the same across systems just in case though it's not a dealbreaker if I can't.
I'd like to get some firsthand experience from sysadmins who have supported or are currently supporting similar setups. What should I look out for? What other best practices should I follow?
Also, I have evaluated Likewise and found that it didn't seem to like our environment very much. I would get long delays with logins & could not get it integrated with SAMBA. This setup works a lot better.
Thanks in advance...