'winbind nss info' and new idmap architecture

Kenneth MacDonald K.MacDonald at ed.ac.uk
Sun Nov 12 22:45:11 GMT 2006 

>>>>> "Jerry" == Gerald (Jerry) Carter <jerry at samba.org> writes:

    Jerry> Simo, One thing I hadn't really considered before was the
    Jerry> frequently tight relationship between the nss info and
    Jerry> idmap backends.  Ideally, the idmap backend plugin should
    Jerry> also be able to provide the homedir, shell, & gecos
    Jerry> information (assuming the idmap backend interfaces with a
    Jerry> unique DIT data model).

    Jerry> The current code supports sfu/rfc2307 by assuming that the
    Jerry> posix attributes are stored on the user/computer obkect in
    Jerry> AD.  It also makes it impossible to override this without
    Jerry> modifying core winbindd_ads.c code.  This should really be
    Jerry> a pluggable interface somehow.  Although I don't want it to
    Jerry> become overly complicated to configure.

Apple came up with a really elegant method of making their Active
Directory DirectoryServices plugin work in almost any AD environment.
They allow the sysadmin to choose the name (Ldap-Display-Name I
presume) of the attribute to use on the user account object for their
UID, GID and on the security group object for its GID.  If your AD
doesn't have SFU/RFC2307 attributes populated, it can fall back to
using the first 31 bits of the objectGUID for UID and group GID
(primaryGroupID for user GID).

Of course, if you choose a non-indexed attribute you can quickly bring
your DCs to their knees!

See in particular the -uid, -gid and -ggid in the manual page (for example at
http://developer.apple.com/documentation/Darwin/Reference/Manpages/man8/dsconfigad.8.html)

Unfortunately, they have chosen to use the Common-Name (or perhaps the
Admin-Display-Name) of security groups to supply the Unix group name.
Since these can't be guaranteed to be unique across a domain it leads
to their plugin giving up when asking for the members of an ambiguous
group.  I'd imagine sAMAccountName with the trailing $ stripped off
would have been more reliable.

I've had two aborted attempts to add this functionality in to the AD
idmap plugin, but my C coding isn't up to it.

I'll happily answer any questions you have on my research to date.

Cheers,

Kenny.

-- 
Desktop Services Team, EUCS.

University of Edinburgh, Scotland.

More information about the samba-technical mailing list