Conforme sugerido por Mike Renfro acima, idmap_rid é o componente central. Abaixo está uma lista de comandos do shell que colocam uma caixa em funcionamento, dada uma nova caixa RHEL5.5:
client_packages:
yum -y install samba3x-winbind krb5-workstation nfs-utils portmap pam_krb5
chkconfig --add winbind
chkconfig winbind --level 345 on
chkconfig --add rpcidmapd
chkconfig rpcidmapd --level 345 on
chkconfig --add portmap
chkconfig portmap --level 345 on
chkconfig --add nfslock
chkconfig nfslock --level 345 on
client_setup:
umount /cpy/shared || true
umount /cpy/users || true
install samba-winbind.conf /etc/samba/smb.conf
install krb5.conf /etc/krb5.conf
install idmapd.conf /etc/idmapd.conf
if ! net -S ad.example.com ads testjoin ; then
net -S ad.example.com ads join -UAdministrator
fi
if ! grep -q winbind /etc/nsswitch.conf ; then
sed -r -e 's/^(passwd|shadow|group):.*$/& winbind/g' \
-e 's/^hosts:.*$/& wins/g' -i /etc/nsswitch.conf
fi
( grep -v '172.18.0.2:' /etc/fstab && cat fstab.nfs-client ) \
> /tmp/fstab.new && mv /tmp/fstab.new /etc/fstab
service winbind restart
service rpcidmapd restart
install -d /cpy/shared
install -d /cpy/users
mount -a
authconfig --enablewinbind --enablewinbindauth --enablekrb5 --update
echo "Make sure that /etc/hosts has an entry with .example.com"
samba-winbind.conf:
[global]
unix charset = LOCALE
workgroup = EXAMPLE
realm = example.com
security = ADS
log level = 2
syslog = 0
log file = /var/log/samba/%m
max log size = 50
idmap backend = idmap_rid:EXAMPLE=10000-20000
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /cpy/users/%u
winbind separator = +
winbind cache time = 60
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
krb.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
PILOTFISH.SE = {
kdc = ad.example.com
admin_server = ad.example.com
default_domain = example.com
}
[domain_realm]
.pilotfish.se = EXAMPLE.COM
pilotfish.se = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
idmapd.conf
[General]
Verbosity = 1
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com
[Mapping]
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
[Translation]
Method = nsswitch
fstab.nfs-client
172.18.0.2:/users /cpy/users nfs4 defaults 0 0
172.18.0.2:/shared /cpy/shared nfs4 defaults 0 0