NIS/ldap name-based id mapping from Active directory and idmap_nss

Nimrod Sapir NIMRODS at il.ibm.com
Wed Jul 11 10:12:13 MDT 2012 

Hi Volker

The idea is not to keep local tdb at all. If we do not use SFU/ldap/NIS, 
we will use RID - so there are no local mapping database (outside the 
cache) and no local users involved. Using the script is a possibility, 
although it may be a less robust then full idmap module.

Calling the NIS directly is probably the most robust way - do you think it 
is worth while creating a new idmap (say idmap_nis) that will handle such 
flow? Does it make any difference if we are using ldap and not NIS (again, 
not a dedicated ldap server, but a pre-defined ldap server which is 
already used for managing Unix accounts in the environment). Does 
idmap_ldap help here?

Regarding the multiple domain support - one more thought we had is to 
create a rule based name mapping logic. This will allow, for example, to 
map DomainA\userX -> domainA_userX and DomainB\UserY -> DomainB_userY (or 
add specific name mapping for certain users, block other users, and so 
on). Did anyone ever considered adding such logic?

Thanks
Nimrod Sapir
IBM - XIV, Israel
NAS Development Team
Office: +972-3-689-7763
Cell:   +972-54-7726-320




From:   Volker Lendecke <Volker.Lendecke at sernet.de>
To:     Nimrod Sapir/Israel/IBM at IBMIL, 
Cc:     samba-technical <samba-technical at lists.samba.org>, Dan 
Cohen1/Israel/IBM at IBMIL, Lior Chen/Israel/IBM at IBMIL
Date:   11/07/2012 18:50
Subject:        Re: NIS/ldap name-based id mapping from Active directory 
and idmap_nss



Hi!

You want to exclusively ask NIS? Not look at /etc/passwd?
I don't think we have a way to do that.

What you could do is to hook into the "username map script"
and filter out root for example. For everything else, just
pass on the user name.

This can anyway only work if you have just a single AD
domain or trusts that have no username clashes, which is
just as good as just one domain.

If you don't want to hook into username mapping or the idmap
tdb2 script, what about generating the mappings offline for
idmap.tdb? Go through NIS, look at AD for SIDs, do your
mapping and generate a mapping tdb. Then make the idmap tdb
backend readonly (not sure we can do this right now, but it
would be a worthwile addition -- Michael?) and you have much
more control over what gets mapped to what.

The alternative would be to really call the NIS RPC calls
from within an idmap module. But I would guess that advanced
mapping and filtering needs to be done for the full
requirements.

With best regards,

Volker Lendecke

On Wed, Jul 11, 2012 at 06:16:33PM +0300, Nimrod Sapir wrote:
> Hello
> 
> I am trying to create a Samba environment in which authentication is 
done 
> using Active directory, while id mapping is done using NIS/ldap based on 

> the account name. Unlike using SFU or the new idmap_rfc2307, I'm do not 
> want to create a new database for SID->UID mapping, but to work with 
> already existing NIS/ldap databases and map 
> SID->DOMAIN_NAME->UNIX_NAME->UID. 
> 
> I tried working with NIS and idmap_nss and it does work to some extend. 
> After configuring the NIS on the Samba server, adding nis to 
/etc/nsswitch 
> and connecting the server into the domain, when domain user 
> MyDomain\MyUser connects to the server, if myUser exists on the NIS, the 

> right UID will be pulled from the NIS and the smbd connection process 
will 
> run with the right UID. 
> 
> If I understand correctly, Samba simply strips the domain name from the 
> user name and resolves the user name ("myUser") as if it was a local 
user. 
> So, if the user myUser existed on the local machine, it's UID would have 

> been used instead (assuming the nsswitch is configured to use local 
> users). Also, I discovered that idmap_nss does not enforce the idmap 
range 
> restrictions (using a call to idmap_unix_id_is_in_range). So, if I 
created 
> a domain user called "root" and created a connection, I would get root 
> access to the machine!
> 
> I assume the same method will work if I replace the NIS with an ldap 
> server, but I haven't tried it yet.
> 
> Is there a better way to do Active directory - NIS/ldap integration for 
an 
> existing name->uid NIS/ldap database? I tried googling it and got some 
> conflicting information.
> 
> Thanks
> Nimrod Sapir
> IBM - XIV, Israel
> NAS Development Team
> Office: +972-3-689-7763
> Cell:   +972-54-7726-320



-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1338 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120711/9d19cee9/attachment.gif>

More information about the samba-technical mailing list