> From: Paul Kraus [mailto:p...@kraus-haus.org] > > > Samba even has modules for mapping NT RIDs to Nix UIDs/GIDs as well as a > module that > > supports "Previous Versions" using the hosts native snapshot method. > > But... if SAMBA has native AD authentication, and the underlying > OS can authenticate against AD, why do we need to have native Unix > accounts for the SAMBA users ?
You say "native" unix accounts, but that doesn't have a clear meaning - All the account info can be stored locally or remotely in a directory service, or even locally in a caching directory service ... And multiple services can be combined together, as long as all the relevant pieces of information come from *some* where. And as long as any unavailable pieces of information are not necessary to satisfy any of the system's intended purposes. For example, I have one system which authenticates via Kerberos to AD, and uses a NIS service, without any password, home directory, or shell information, just to synchronize the username/UID/GID on a system which is a fileserver and not intended for user logon. If you run CIFS and you don't run NFS, then you don't need anything beyond the AD server. The CIFS server can locally generate all the posix details as necessary, and all the separate unix/linux systems on the network can all do the same - And none of the UID's will match between systems - and that's ok because no system will care about the UID of any user account on any other system. If you have a CIFS and NFS server, then you need some way of unifying all the POSIX information - username to UID, GID, home dir, and shell. Etc. By default, AD doesn't have any such information in it - Yes you can add UNIX services to AD, or extend the schema in various ways, and then distribute that information via LDAP or NIS or some other directory services, but the point remains, if you're authenticating via Kerberos, you still need an additional directory service to make the POSIX information consistent across all the unix/linux NFS machines. AFAIK, posix information is not something that Kerberos can be used for. > We are currently using Solaris 10 with SAMBA and have some > usability issues as follows. > > 1. need to manage Solaris as well as AD users/groups I have a similar setup. Solaris 10 and Samba uses AD Kerberos for authentication, but also uses NIS for POSIX. At one site, the NIS server is the Windows AD server. At another (independent) site, the NIS server is a linux machine. Both the windows & linux NIS servers have some pros/cons versus each other. This need does not disappear when you use a kernel cifs server. > 2. Unix / Solaris limitation of 16 / 32 group membership > 3. ACL management (must be done on the Solaris side) and visibility > 4. performance (especially with many small files) > > We can solve some of the above with SAMBA, but we are hoping that > the Sun CIFS server in Solaris 11 resolves all of these issues. We > start testing with Solaris 11 Express shortly. I don't think you're going to eliminate #2. #3 and #4, perhaps the kernel cifs server might be better than samba. Or vice-versa. ;-) I don't know. _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
