NIS/ldap name-based id mapping from Active directory and idmap_nss

[Nimrod Sapir]

Hello

I am trying to create a Samba environment in which authentication is done 
using Active directory, while id mapping is done using NIS/ldap based on 
the account name. Unlike using SFU or the new idmap_rfc2307, I'm do not 
want to create a new database for SID->UID mapping, but to work with 
already existing NIS/ldap databases and map 
SID->DOMAIN_NAME->UNIX_NAME->UID. 

I tried working with NIS and idmap_nss and it does work to some extend. 
After configuring the NIS on the Samba server, adding nis to /etc/nsswitch 
and connecting the server into the domain, when domain user 
MyDomain\MyUser connects to the server, if myUser exists on the NIS, the 
right UID will be pulled from the NIS and the smbd connection process will 
run with the right UID. 

If I understand correctly, Samba simply strips the domain name from the 
user name and resolves the user name ("myUser") as if it was a local user. 
So, if the user myUser existed on the local machine, it's UID would have 
been used instead (assuming the nsswitch is configured to use local 
users). Also, I discovered that idmap_nss does not enforce the idmap range 
restrictions (using a call to idmap_unix_id_is_in_range). So, if I created 
a domain user called "root" and created a connection, I would get root 
access to the machine!

I assume the same method will work if I replace the NIS with an ldap 
server, but I haven't tried it yet.

Is there a better way to do Active directory - NIS/ldap integration for an 
existing name->uid NIS/ldap database? I tried googling it and got some 
conflicting information.

Thanks
Nimrod Sapir
IBM - XIV, Israel
NAS Development Team
Office: +972-3-689-7763
Cell:   +972-54-7726-320
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1338 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120711/1db09092/attachment.gif>