NIS/ldap name-based id mapping from Active directory and idmap_nss

Andrew Bartlett abartlet at samba.org
Wed Jul 11 22:34:16 MDT 2012 

On Wed, 2012-07-11 at 18:16 +0300, Nimrod Sapir wrote:
> Hello
> 
> I am trying to create a Samba environment in which authentication is done 
> using Active directory, while id mapping is done using NIS/ldap based on 
> the account name. Unlike using SFU or the new idmap_rfc2307, I'm do not 
> want to create a new database for SID->UID mapping, but to work with 
> already existing NIS/ldap databases and map 
> SID->DOMAIN_NAME->UNIX_NAME->UID. 
> 
> I tried working with NIS and idmap_nss and it does work to some extend. 
> After configuring the NIS on the Samba server, adding nis to /etc/nsswitch 
> and connecting the server into the domain, when domain user 
> MyDomain\MyUser connects to the server, if myUser exists on the NIS, the 
> right UID will be pulled from the NIS and the smbd connection process will 
> run with the right UID. 
> 
> If I understand correctly, Samba simply strips the domain name from the 
> user name and resolves the user name ("myUser") as if it was a local user. 
> So, if the user myUser existed on the local machine, it's UID would have 
> been used instead (assuming the nsswitch is configured to use local 
> users). Also, I discovered that idmap_nss does not enforce the idmap range 
> restrictions (using a call to idmap_unix_id_is_in_range). So, if I created 
> a domain user called "root" and created a connection, I would get root 
> access to the machine!

We trust the directory absolutely.  If arbitrary named users are being
created, then I think that is the real problem.  

> I assume the same method will work if I replace the NIS with an ldap 
> server, but I haven't tried it yet.
> 
> Is there a better way to do Active directory - NIS/ldap integration for an 
> existing name->uid NIS/ldap database? I tried googling it and got some 
> conflicting information.

Is using idmap_nss really a problem?  Of course we could have it
optionally only honour for certain UID values, but it really seems the
best starting point. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list