NIS/ldap name-based id mapping from Active directory and idmap_nss
NIMRODS at il.ibm.com
Wed Jul 11 09:16:33 MDT 2012
I am trying to create a Samba environment in which authentication is done
using Active directory, while id mapping is done using NIS/ldap based on
the account name. Unlike using SFU or the new idmap_rfc2307, I'm do not
want to create a new database for SID->UID mapping, but to work with
already existing NIS/ldap databases and map
I tried working with NIS and idmap_nss and it does work to some extend.
After configuring the NIS on the Samba server, adding nis to /etc/nsswitch
and connecting the server into the domain, when domain user
MyDomain\MyUser connects to the server, if myUser exists on the NIS, the
right UID will be pulled from the NIS and the smbd connection process will
run with the right UID.
If I understand correctly, Samba simply strips the domain name from the
user name and resolves the user name ("myUser") as if it was a local user.
So, if the user myUser existed on the local machine, it's UID would have
been used instead (assuming the nsswitch is configured to use local
users). Also, I discovered that idmap_nss does not enforce the idmap range
restrictions (using a call to idmap_unix_id_is_in_range). So, if I created
a domain user called "root" and created a connection, I would get root
access to the machine!
I assume the same method will work if I replace the NIS with an ldap
server, but I haven't tried it yet.
Is there a better way to do Active directory - NIS/ldap integration for an
existing name->uid NIS/ldap database? I tried googling it and got some
IBM - XIV, Israel
NAS Development Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 1338 bytes
Desc: not available
More information about the samba-technical