NIS/ldap name-based id mapping from Active directory and idmap_nss
Nimrod Sapir
NIMRODS at il.ibm.com
Thu Jul 12 01:49:46 MDT 2012
Andrew Bartlett <abartlet at samba.org> wrote on 12/07/2012 07:34:16:
> From: Andrew Bartlett <abartlet at samba.org>
> To: Nimrod Sapir/Israel/IBM at IBMIL,
> Cc: samba-technical <samba-technical at lists.samba.org>, Dan Cohen1/
> Israel/IBM at IBMIL, Lior Chen/Israel/IBM at IBMIL
> Date: 12/07/2012 07:34
> Subject: Re: NIS/ldap name-based id mapping from Active directory
> and idmap_nss
>
> On Wed, 2012-07-11 at 18:16 +0300, Nimrod Sapir wrote:
> > If I understand correctly, Samba simply strips the domain name from
the
> > user name and resolves the user name ("myUser") as if it was a local
user.
> > So, if the user myUser existed on the local machine, it's UID would
have
> > been used instead (assuming the nsswitch is configured to use local
> > users). Also, I discovered that idmap_nss does not enforce the idmap
range
> > restrictions (using a call to idmap_unix_id_is_in_range). So, if I
created
> > a domain user called "root" and created a connection, I would get root
> > access to the machine!
>
> We trust the directory absolutely. If arbitrary named users are being
> created, then I think that is the real problem.
>
I think that idmap_nss should at least enforce the id ranges defined in
"idmap config DOMAINNAME:range". I created a local patch in my local code
that use idmap_unix_id_is_in_range and returns the appropriate error code
(as done in other id mapping methods) - is there any reason not to add
this restriction to the idmap_nss code?
> > I assume the same method will work if I replace the NIS with an ldap
> > server, but I haven't tried it yet.
> >
> > Is there a better way to do Active directory - NIS/ldap integration
for an
> > existing name->uid NIS/ldap database? I tried googling it and got some
> > conflicting information.
>
> Is using idmap_nss really a problem? Of course we could have it
> optionally only honour for certain UID values, but it really seems the
> best starting point.
Here is one problem which may occur - Assuming the customer does not have
direct access to the machine, and the machine has a pre-defined set of
user accounts which it is shipped with. If I do not enforce any uid range,
the name resolution may accidentally hit one of the local users (if those
conflict with the names defined in NIS). If I do enforce a range (so that
I reserve the range for the local users) this range may conflict with the
range already in use in the customer's NIS, and may prevent some accounts
to be mapped correctly (unless user UID is changed, which is not a simple
procedure).
Thanks
Nimrod
More information about the samba-technical
mailing list