NIS/ldap name-based id mapping from Active directory and idmap_nss

Fri Jul 13 19:34:21 MDT 2012

On Thu, 2012-07-12 at 10:49 +0300, Nimrod Sapir wrote:
> Andrew Bartlett <abartlet at samba.org> wrote on 12/07/2012 07:34:16:
> 
> > From: Andrew Bartlett <abartlet at samba.org>
> > To: Nimrod Sapir/Israel/IBM at IBMIL, 
> > Cc: samba-technical <samba-technical at lists.samba.org>, Dan Cohen1/
> > Israel/IBM at IBMIL, Lior Chen/Israel/IBM at IBMIL
> > Date: 12/07/2012 07:34
> > Subject: Re: NIS/ldap name-based id mapping from Active directory 
> > and idmap_nss
> > 
> > On Wed, 2012-07-11 at 18:16 +0300, Nimrod Sapir wrote:
> 
> > > If I understand correctly, Samba simply strips the domain name from 
> the 
> > > user name and resolves the user name ("myUser") as if it was a local 
> user. 
> > > So, if the user myUser existed on the local machine, it's UID would 
> have 
> > > been used instead (assuming the nsswitch is configured to use local 
> > > users). Also, I discovered that idmap_nss does not enforce the idmap 
> range 
> > > restrictions (using a call to idmap_unix_id_is_in_range). So, if I 
> created 
> > > a domain user called "root" and created a connection, I would get root 
> 
> > > access to the machine!
> > 
> > We trust the directory absolutely.  If arbitrary named users are being
> > created, then I think that is the real problem. 
> > 
> 
> I think that idmap_nss should at least enforce the id ranges defined in 
> "idmap config DOMAINNAME:range". I created a local patch in my local code 
> that use idmap_unix_id_is_in_range and returns the appropriate error code 
> (as done in other id mapping methods) - is there any reason not to add 
> this restriction to the idmap_nss code?

Propose the patch, and I'm sure the maintainer will let you know! :-)

> > > I assume the same method will work if I replace the NIS with an ldap 
> > > server, but I haven't tried it yet.
> > > 
> > > Is there a better way to do Active directory - NIS/ldap integration 
> for an 
> > > existing name->uid NIS/ldap database? I tried googling it and got some 
> 
> > > conflicting information.
> > 
> > Is using idmap_nss really a problem?  Of course we could have it
> > optionally only honour for certain UID values, but it really seems the
> > best starting point. 
> 
> Here is one problem which may occur - Assuming the customer does not have 
> direct access to the machine, and the machine has a pre-defined set of 
> user accounts which it is shipped with. If I do not enforce any uid range, 
> the name resolution may accidentally hit one of the local users (if those 
> conflict with the names defined in NIS). If I do enforce a range (so that 
> I reserve the range for the local users) this range may conflict with the 
> range already in use in the customer's NIS, and may prevent some accounts 
> to be mapped correctly (unless user UID is changed, which is not a simple 
> procedure). 

That seems like a reasonable concern for an appliance. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org