NIS/ldap name-based id mapping from Active directory and idmap_nss
Andrew Bartlett
abartlet at samba.org
Fri Jul 13 19:34:21 MDT 2012
On Thu, 2012-07-12 at 10:49 +0300, Nimrod Sapir wrote:
> Andrew Bartlett <abartlet at samba.org> wrote on 12/07/2012 07:34:16:
>
> > From: Andrew Bartlett <abartlet at samba.org>
> > To: Nimrod Sapir/Israel/IBM at IBMIL,
> > Cc: samba-technical <samba-technical at lists.samba.org>, Dan Cohen1/
> > Israel/IBM at IBMIL, Lior Chen/Israel/IBM at IBMIL
> > Date: 12/07/2012 07:34
> > Subject: Re: NIS/ldap name-based id mapping from Active directory
> > and idmap_nss
> >
> > On Wed, 2012-07-11 at 18:16 +0300, Nimrod Sapir wrote:
>
> > > If I understand correctly, Samba simply strips the domain name from
> the
> > > user name and resolves the user name ("myUser") as if it was a local
> user.
> > > So, if the user myUser existed on the local machine, it's UID would
> have
> > > been used instead (assuming the nsswitch is configured to use local
> > > users). Also, I discovered that idmap_nss does not enforce the idmap
> range
> > > restrictions (using a call to idmap_unix_id_is_in_range). So, if I
> created
> > > a domain user called "root" and created a connection, I would get root
>
> > > access to the machine!
> >
> > We trust the directory absolutely. If arbitrary named users are being
> > created, then I think that is the real problem.
> >
>
> I think that idmap_nss should at least enforce the id ranges defined in
> "idmap config DOMAINNAME:range". I created a local patch in my local code
> that use idmap_unix_id_is_in_range and returns the appropriate error code
> (as done in other id mapping methods) - is there any reason not to add
> this restriction to the idmap_nss code?
Propose the patch, and I'm sure the maintainer will let you know! :-)
> > > I assume the same method will work if I replace the NIS with an ldap
> > > server, but I haven't tried it yet.
> > >
> > > Is there a better way to do Active directory - NIS/ldap integration
> for an
> > > existing name->uid NIS/ldap database? I tried googling it and got some
>
> > > conflicting information.
> >
> > Is using idmap_nss really a problem? Of course we could have it
> > optionally only honour for certain UID values, but it really seems the
> > best starting point.
>
> Here is one problem which may occur - Assuming the customer does not have
> direct access to the machine, and the machine has a pre-defined set of
> user accounts which it is shipped with. If I do not enforce any uid range,
> the name resolution may accidentally hit one of the local users (if those
> conflict with the names defined in NIS). If I do enforce a range (so that
> I reserve the range for the local users) this range may conflict with the
> range already in use in the customer's NIS, and may prevent some accounts
> to be mapped correctly (unless user UID is changed, which is not a simple
> procedure).
That seems like a reasonable concern for an appliance.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list