winbindd_idmap.tdb recovery

Martin.Sheppard at csiro.au Martin.Sheppard at csiro.au
Mon Feb 11 14:31:04 GMT 2002


Hi Don,

Yes, among other things SFU version 2 extends Active Directory schema to
hold UNIX uid, gid, homedir, shell, etc. There is probably an LDIF file on
the CD that makes the changes. I'm sure it wouldn't be hard to recreate a
suitable file that could be used.

I'm not sure how UIDs are allocated, but it must manage this somehow. All
this information is available via LDAP like the rest of AD and it should be
possible to use nss_ldap to completely manage user and group information via
AD. Indeed, this is what we may end up doing. However, having a winbind
aware of this field would have a number of advantages. It could operate in a
number of different modes:

- Traditional mode where UIDs are different on every machine.
- Strictly only mapping those users that have a UID entry in AD and relying
on some user defined mechanism to fill in the UID entries.
- Mapping users with a UID, but if there is a clash with a local user then
use a different UID.
- If the user doesn't have a UID assigned in AD then assign one and store it
back in AD. If you are doing this then all of the allocation probably has to
be done on one DC otherwise we could run into synchronisation problems.

These are only some of the possible ways in which people may want winbind to
work. There are other options like using the homedir from AD or using a
homedir defined in the config file like is done now. Making winbind work in
this way would give people a very flexible mechanism for managing the SID to
UID mapping.

Anyway, that's my wish for the day. It would be nice if it were implemented
sometime. It actually doesn't sound too complicated to do, for the first
stage, all we really need is the ability to read (and optionally write) a
UID value for the user from AD and a bit of glue to put it all together, but
I'm no expert in winbind internals, so maybe it will be more complicated
than that. Can this AD manipulation be done in samba 3?

Cheers,

Martin.

-----Original Message-----
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com] 
Sent: Tuesday, 12 February 2002 12:46 AM
To: 'Martin.Sheppard at csiro.au'; MCCALL,DON (HP-USA,ex1);
Jean-Francois.Micouleau at dalalu.fr
Cc: STEFFENS,MICHAEL (HP-Germany,ex1); tpot at samba.org;
samba-technical at samba.org
Subject: RE: winbindd_idmap.tdb recovery

Hi Martin,
Yes, this would be ideal - it would be a pity to have to implement
some sort of 'pseudo-sam' syncronization engine for winbindd, essentially
duplicating DC type of functionality on machines that are, after all
'member servers' in the win2k domain, for all practical purposes.
As I recall, M$ came up with something called SFU (Services for Unix)
which expanded the AD ldap entry such that unix info (like UID field)
was contained with each user.  I haven't heard much about SFU from M$,
so I don't know how active this product is, but perhaps that could be 
an option.  I'd have to look into it, but I think that it DEPENDED on
a unix account existing, and being able to grab the uid/gid pair for 
the user FROM the unix account - I can't remember.  Of course with 
winbindd, the purpose is not to HAVE a unix user account, so we'd have
to do something like checking for a valid uid/gid pair in AD and if 
uninitialized, fill it in ourselves...
I'll stop theorizing based on little knowlege of the product.  But two
big holes are 1) SFU used to be an addon product, so you couldn't count
on it being there. 2)Don't know if the mechanisms for getting/modifying
the extra unix fields are exposed so that we could use them...
Would be worth looking into, though!
Don

-----Original Message-----
From: Martin.Sheppard at csiro.au [mailto:Martin.Sheppard at csiro.au]
Sent: Sunday, February 10, 2002 2:33 AM
To: don_mccall at hp.com; Jean-Francois.Micouleau at dalalu.fr
Cc: michael_steffens at hp.com; tpot at samba.org; samba-technical at samba.org
Subject: RE: winbindd_idmap.tdb recovery


I'll just add my 2 cents into this discussion. I know it wouldn't suit
everybody, but in my organisation it would seem that the most appropriate
place to store the UID mapping is by having a UID field for user objects in
Active Directory. That way you get a consistent mapping across the
organisation without going to the trouble of writing your own distributed
database. It also gives you the possibility of looking at using either
nss_ldap or winbind on the clients depending on which is more appropriate. 

Has any thought been given to having winbind be able to operate in this way?

Cheers,

Martin.

-----Original Message-----
From: Jean Francois Micouleau [mailto:Jean-Francois.Micouleau at dalalu.fr]
Sent: Friday, February 08, 2002 5:08 PM
To: MCCALL,DON (HP-USA,ex1)
Cc: 'samba-technical at samba.org'
Subject: RE: winbindd_idmap.tdb recovery

The only other 'automatic' way I see around this is to go ahead and assign
on a 1st come 1st serve basis, but require all the samba member servers in a
particular domain to know about each other, and implement some sort of
winbindd_idmap multiple master scheme, where if you didn't find a local map
for the sid comming in, before you did the mapping, you checked with your
'samba ring' to see if the sid had been mapped anywhere else, and use
the same mapping.  And with all the syncronization problems, etc. this could
be a nightmare to bulletproof.

Thanks for continuing the conversation!
Don




More information about the samba-technical mailing list