NIS/ldap name-based id mapping from Active directory and idmap_nss

Andrew Bartlett abartlet at
Wed Jul 11 22:34:16 MDT 2012

On Wed, 2012-07-11 at 18:16 +0300, Nimrod Sapir wrote:
> Hello
> I am trying to create a Samba environment in which authentication is done 
> using Active directory, while id mapping is done using NIS/ldap based on 
> the account name. Unlike using SFU or the new idmap_rfc2307, I'm do not 
> want to create a new database for SID->UID mapping, but to work with 
> already existing NIS/ldap databases and map 
> I tried working with NIS and idmap_nss and it does work to some extend. 
> After configuring the NIS on the Samba server, adding nis to /etc/nsswitch 
> and connecting the server into the domain, when domain user 
> MyDomain\MyUser connects to the server, if myUser exists on the NIS, the 
> right UID will be pulled from the NIS and the smbd connection process will 
> run with the right UID. 
> If I understand correctly, Samba simply strips the domain name from the 
> user name and resolves the user name ("myUser") as if it was a local user. 
> So, if the user myUser existed on the local machine, it's UID would have 
> been used instead (assuming the nsswitch is configured to use local 
> users). Also, I discovered that idmap_nss does not enforce the idmap range 
> restrictions (using a call to idmap_unix_id_is_in_range). So, if I created 
> a domain user called "root" and created a connection, I would get root 
> access to the machine!

We trust the directory absolutely.  If arbitrary named users are being
created, then I think that is the real problem.  

> I assume the same method will work if I replace the NIS with an ldap 
> server, but I haven't tried it yet.
> Is there a better way to do Active directory - NIS/ldap integration for an 
> existing name->uid NIS/ldap database? I tried googling it and got some 
> conflicting information.

Is using idmap_nss really a problem?  Of course we could have it
optionally only honour for certain UID values, but it really seems the
best starting point. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list