Teaching winbindd to use uidNumber/gidNumber attributes

Johann Hanne jhml at gmx.net
Tue May 4 18:34:54 GMT 2004 

Hi,

the attached patch has been created against 3.0.2a, but it applies against 
3.0.3, too. It's not ready, it's only a proof-of-concept, and it will break 
existing features, so don't use it if you don't know what you are doing. 
However, i'm using it on a production machine which does HTTP-NTLM- and 
SMB-single-signon against a Windows 2003 server, so it does what it has been 
created for. I've posted this half-ready-patch because i think this kind of 
modification is a design decision, so before i complete it, i'd like to hear 
the opinion of the developers, if it's actually welcome...

The idea behind it is that if you have an Active Directory infrastructure, 
it's much smarter to store Unix attributes with the AD user objects than 
using the idmap stuff (this means you have to extend the AD schema with 
attributes from RFC 2307 of course). You could use nss_ldap of course, but I 
think using winbindd has some advantages (please comment on these, I'm not a 
Windows/Samba guru, so i might be completely wrong):
- The LDAP/AD server is chosen automatically, i.e. you don't have to specify a 
static LDAP server name/IP address
- If one LDAP server (i.e. domain controller) fails, it will use another one 
(really?)
- You don't need an user account (with its password stored in plaintext in 
ldap.conf) which is used for retrieving the attributes for all the user 
accounts, this is done by using the machine account of the domain member
- Simplicity - winbindd is all you need

The patch modifies (well, it screws up...) winbindd to get the 
uidNumber/gidNumber attributes when retrieving an user (_nss_*_getpwnam_r). 
Because of that direct user-to-uidnumber mapping (actually it's 
user-to-sid-to-uidnumber), there is no need for idmap. When a 
lookup-by-uidnumber (_nss_*_getpwuid_r) is requested, a LDAP request like 
"(uidNumber=1234)" is created, again eliminating the need for idmap. This 
request is currently only sent to the primary domain (i.e. not to trusted 
domains), so it needs more work. User enumeration 
(_nss_*_setpwent/_nss_*_getpwent_r/_nss_*_endpwent) is not yet implemented 
(i.e. "getent passwd" will not list the windows users), but that's only 
cosmetic.

Comments, please?

Cheers, Johann




-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba3-winbinduidnumber.diff.gz
Type: application/x-gzip
Size: 4427 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20040504/3c7f179e/samba3-winbinduidnumber.diff.bin

More information about the samba-technical mailing list