Text-base idmap backend module for samba 3.0.2a

Sat Jul 17 13:32:10 GMT 2004

On Fri, Jul 16, 2004 at 05:13:45PM +0200, Simo Sorce wrote:
> Sorry I haven't understood fully, anyway I think you're addressing the
> problem from the wrong point of view.
> 
> winbind is for use in setups that doesn't use NIS and where allocation
> is dynamic. if you have users on NIS the you do not need winbindd.

I don't believe that's true; winbind serves functions *other* than just
the nss and pam modules. This is a common problem, and more
documentation related. The issue as I explained it to a colleague is:

Winbind thinks the user is "DOMAIN\user", can't find that in the
existing "password" database (be it files, NIS, or LDAP) and allocates a
new uid

I think the poster wants the:

   winbind trusted domains only = yes

...parameter. I'm assuming he's got:

windows:
  domain1:
    userA
  domain2:
    userB

NIS:
  domainX:
    userA (same user as DOMAIN1\userA)
    userB (same user as DOMAIN2\userB)

The winbind parameter above makes this setup work correctly, and
arguably should be the default since I'm assuming if it *fails* to find
the UID in the password it'll still allocate a UID.

[Checks; Hmm. No, it doesn't]

Incidentally, I would have thought "winbind use default domain = yes"
would also be required *if* the nss and pam modules were being used e.g.
for SSH/FTP etc.

Finally, I found I needed to delete the winbind.*.tdb files to make this
change "work" - is this expected?

Of course, if his NIS users have different names than the windows users
he will *also* need the "username map", as you pointed out.

> 
> Simo.
> 
> On Fri, 2004-07-16 at 16:31, Jamil Amir-ajamil01 wrote:
> > Thanks Simo,
> > 
> > Is it possible I can resolve the following problem without using this patch.
> > 
> > The problem with winbind and NIS accounts( mix accounts same and different from windows domain and also trusted domain users).
> > 
> > Currently if I give permission from windows and check from Unix, it appears to be given a new UID's (10001) from winbind, infect the account is a valid NIS account in Unix. I think it should map windows accounts with the same Unix accounts. If the Unix account is different from windows then it should check static mapping file. Same for the groups mapping too.
> > 
> > Also we are not using LDAP.
> > 
> > Thanks in advance for your help.
> > 
> > Regards
> > Amir
> > 
> > 
> > -----Original Message-----
> > From: Simo Sorce [mailto:idra at samba.org]
> > Sent: 16 July 2004 10:12
> > To: Volker Lendecke
> > Cc: Jamil Amir-ajamil01; samba-technical at lists.samba.org
> > Subject: Re: Text-base idmap backend module for samba 3.0.2a
> > 
> > 
> > Someone posted it on samba-techinical a few months ago, you should be
> > able to find it out in the archives.
> > 
> > I tought about adding it in our official trees, but then avoided that as
> > it is inefficient and idmapping is not meant to be touched by admins
> > anyway, so I find no meaning in using an human readable/writable format
> > (and still you can do that with ldap :-/).
> > 
> > Simo.
> > 
> > On Thu, 2004-07-15 at 12:47, Volker Lendecke wrote:
> > > On Thu, Jul 15, 2004 at 11:21:22AM +0100, Jamil Amir-ajamil01 wrote:
> > > > I am looking for Text-base idmap backend module for samba 3.0.2a, could some
> > > > body please send it to me or let me know if it is posted some ware.
> > > 
> > > I'm not aware of such a thing. This would be horrendously inefficient. Maybe
> > > the commands 'net idmap dump' and 'net idmap restore' help you?
> > > 
> > > Volker
> -- 
> Simo Sorce    -  idra at samba.org
> Samba Team    -  http://www.samba.org
> Italian Site  -  http://samba.xsec.it
> 

-- 

Regards,
Phil

+------------------------------------------+
| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |
+------------------------------------------+