NIS/ldap name-based id mapping from Active directory and idmap_nss
Nimrod Sapir
NIMRODS at il.ibm.com
Wed Jul 11 09:16:33 MDT 2012
Hello
I am trying to create a Samba environment in which authentication is done
using Active directory, while id mapping is done using NIS/ldap based on
the account name. Unlike using SFU or the new idmap_rfc2307, I'm do not
want to create a new database for SID->UID mapping, but to work with
already existing NIS/ldap databases and map
SID->DOMAIN_NAME->UNIX_NAME->UID.
I tried working with NIS and idmap_nss and it does work to some extend.
After configuring the NIS on the Samba server, adding nis to /etc/nsswitch
and connecting the server into the domain, when domain user
MyDomain\MyUser connects to the server, if myUser exists on the NIS, the
right UID will be pulled from the NIS and the smbd connection process will
run with the right UID.
If I understand correctly, Samba simply strips the domain name from the
user name and resolves the user name ("myUser") as if it was a local user.
So, if the user myUser existed on the local machine, it's UID would have
been used instead (assuming the nsswitch is configured to use local
users). Also, I discovered that idmap_nss does not enforce the idmap range
restrictions (using a call to idmap_unix_id_is_in_range). So, if I created
a domain user called "root" and created a connection, I would get root
access to the machine!
I assume the same method will work if I replace the NIS with an ldap
server, but I haven't tried it yet.
Is there a better way to do Active directory - NIS/ldap integration for an
existing name->uid NIS/ldap database? I tried googling it and got some
conflicting information.
Thanks
Nimrod Sapir
IBM - XIV, Israel
NAS Development Team
Office: +972-3-689-7763
Cell: +972-54-7726-320
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1338 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120711/1db09092/attachment.gif>
More information about the samba-technical
mailing list