NIS/ldap name-based id mapping from Active directory and idmap_nss
Andrew Bartlett
abartlet at samba.org
Wed Jul 11 22:34:16 MDT 2012
On Wed, 2012-07-11 at 18:16 +0300, Nimrod Sapir wrote:
> Hello
>
> I am trying to create a Samba environment in which authentication is done
> using Active directory, while id mapping is done using NIS/ldap based on
> the account name. Unlike using SFU or the new idmap_rfc2307, I'm do not
> want to create a new database for SID->UID mapping, but to work with
> already existing NIS/ldap databases and map
> SID->DOMAIN_NAME->UNIX_NAME->UID.
>
> I tried working with NIS and idmap_nss and it does work to some extend.
> After configuring the NIS on the Samba server, adding nis to /etc/nsswitch
> and connecting the server into the domain, when domain user
> MyDomain\MyUser connects to the server, if myUser exists on the NIS, the
> right UID will be pulled from the NIS and the smbd connection process will
> run with the right UID.
>
> If I understand correctly, Samba simply strips the domain name from the
> user name and resolves the user name ("myUser") as if it was a local user.
> So, if the user myUser existed on the local machine, it's UID would have
> been used instead (assuming the nsswitch is configured to use local
> users). Also, I discovered that idmap_nss does not enforce the idmap range
> restrictions (using a call to idmap_unix_id_is_in_range). So, if I created
> a domain user called "root" and created a connection, I would get root
> access to the machine!
We trust the directory absolutely. If arbitrary named users are being
created, then I think that is the real problem.
> I assume the same method will work if I replace the NIS with an ldap
> server, but I haven't tried it yet.
>
> Is there a better way to do Active directory - NIS/ldap integration for an
> existing name->uid NIS/ldap database? I tried googling it and got some
> conflicting information.
Is using idmap_nss really a problem? Of course we could have it
optionally only honour for certain UID values, but it really seems the
best starting point.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list