NIS/ldap name-based id mapping from Active directory and idmap_nss

[Volker Lendecke]

Hi!

You want to exclusively ask NIS? Not look at /etc/passwd?
I don't think we have a way to do that.

What you could do is to hook into the "username map script"
and filter out root for example. For everything else, just
pass on the user name.

This can anyway only work if you have just a single AD
domain or trusts that have no username clashes, which is
just as good as just one domain.

If you don't want to hook into username mapping or the idmap
tdb2 script, what about generating the mappings offline for
idmap.tdb? Go through NIS, look at AD for SIDs, do your
mapping and generate a mapping tdb. Then make the idmap tdb
backend readonly (not sure we can do this right now, but it
would be a worthwile addition -- Michael?) and you have much
more control over what gets mapped to what.

The alternative would be to really call the NIS RPC calls
from within an idmap module. But I would guess that advanced
mapping and filtering needs to be done for the full
requirements.

With best regards,

Volker Lendecke

On Wed, Jul 11, 2012 at 06:16:33PM +0300, Nimrod Sapir wrote:
> Hello
> 
> I am trying to create a Samba environment in which authentication is done 
> using Active directory, while id mapping is done using NIS/ldap based on 
> the account name. Unlike using SFU or the new idmap_rfc2307, I'm do not 
> want to create a new database for SID->UID mapping, but to work with 
> already existing NIS/ldap databases and map 
> SID->DOMAIN_NAME->UNIX_NAME->UID. 
> 
> I tried working with NIS and idmap_nss and it does work to some extend. 
> After configuring the NIS on the Samba server, adding nis to /etc/nsswitch 
> and connecting the server into the domain, when domain user 
> MyDomain\MyUser connects to the server, if myUser exists on the NIS, the 
> right UID will be pulled from the NIS and the smbd connection process will 
> run with the right UID. 
> 
> If I understand correctly, Samba simply strips the domain name from the 
> user name and resolves the user name ("myUser") as if it was a local user. 
> So, if the user myUser existed on the local machine, it's UID would have 
> been used instead (assuming the nsswitch is configured to use local 
> users). Also, I discovered that idmap_nss does not enforce the idmap range 
> restrictions (using a call to idmap_unix_id_is_in_range). So, if I created 
> a domain user called "root" and created a connection, I would get root 
> access to the machine!
> 
> I assume the same method will work if I replace the NIS with an ldap 
> server, but I haven't tried it yet.
> 
> Is there a better way to do Active directory - NIS/ldap integration for an 
> existing name->uid NIS/ldap database? I tried googling it and got some 
> conflicting information.
> 
> Thanks
> Nimrod Sapir
> IBM - XIV, Israel
> NAS Development Team
> Office: +972-3-689-7763
> Cell:   +972-54-7726-320



-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de