HP CIFS Server 3.0g Administrator's Guide verison A.02.03.01
inter-operability including sharing identity credentials. SFU downloads and technical papers
are available from Microsoft’s TechNet at the following web site:
http://technet.microsoft.com
SFU features are incorporated into Windows Active Directory Server 2003 Release 2 (R2),
so no download is necessary for this version.
There are two approaches to integrate HP-UX account management and authentication with
Windows SFU:
— NIS
One of the SFU tools, Server for NIS, enables Windows to serve as a NIS server. Windows
Active Directory Server (ADS) stores user account and group information including
SID, UID, and GID in the Windows ADS schema.
— LDAP
When using LDAP-UX Client Services, HP-UX uses Windows ADS directly. SID, UID,
and GID information is stored as attributes of a user account in the Windows ADS
schema.
With SFU, HP CIFS Server can access both Windows and UNIX identity information from
the Windows Domain Controller.
HP CIFS Deployment Model Consideration
When winbind is desired, consider how your environment best fits into the following HP
CIFS deployment models. See Chapter 9 (page 129) for detailed information on HP CIFS
deployment models.
• Samba Domain Model
A Samba Domain consists of HP CIFS Servers and no Windows Domain Controllers. The
Samba Domain deployment may benefit from the use of winbind when the domain trusts
other domains. Rather than managing local UNIX users for corresponding Windows/Samba
users for all trusted domains, winbind can be used to generate the UIDs and GIDs required
for the trusted domains. When multiple domains are involved, HP suggests that you configure
winbind with LDAP to use the sambaUnixIDPool identity allocation algorithm.
UNIX user requirements are likely to drive management of users in Samba Domain
deployments. HP recommends that you use the syncsmbpasswd script to generate Samba
user entries based on the existing UNIX user entries. See the syncsmbpasswd man page
for more information. Note that the name "syncsmbpasswd" originates from the name of
the password file. This tool only creates Samba user entries, it is not possible to translate
UNIX passwords into Samba passwords. Winbind bases its mappings on existing
Windows/Samba identities rather than existing UNIX users so it may be of little use in many
Samba Domains.
Domain member servers may use winbind to minimize management of all domain users.
However, HP CIFS Primary Domain Controllers may only make use of winbind to minimize
management of trusted domain users.
• Windows Domain Model
In the Windows Domain deployment, Window NT or ADS Domain Controller does not
utilize Windows Services for UNIX (SFU) to maintain UNIX UID and GID data. HP CIFS
Servers participate as member servers and may benefit from the use of winbind to create
the local UNIX UIDs and GIDs required to correspond to Windows identities or when other
domains are trusted. Even when a Windows Domain Controller provides primary domain
authentication, HP CIFS member servers would benefit from the use of an LDAP directory
server, so winbind can be used while storing ID maps in an LDAP directory and maintaining
114 Winbind Support