id mapping, rfc2307 and real customer environments

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed May 18 05:24:18 UTC 2016


On Tue, May 17, 2016 at 03:06:27PM -0700, Richard Sharpe wrote:
> We have a customer environment where all the UNIX users are isolated
> in a special domain, lets call it UNIX.EXAMPLE.COM. They also have
> their Windows users scattered around domains like COAL.EXAMPLE.COM and
> GAS.EXAMPLE.COM. Those users who have both UNIX and Windows accounts
> have their RFC2307 attributes in UNIX.EXAMPLE.COM and attributes on
> their account in their home domain that points to their account in the
> UNIX.EXAMPLE.COM.
> 
> Sigh.
> 
> This means that during id mapping we would have to extract the
> attribute that points to their UNIX.EXAMPLE.COM account from their
> home domain, then lookup the uidNumber and whatever for that account
> in the UNIX.EXAMPLE.COM account.
> 
> Even worse, users who do not have UNIX accounts do not have an entry
> in UNIX.EXAMPLE.COM.
> 
> It would seem that the rfc2307 id mapping module is not going to be
> able to deal with such a setup.

Correct. For the real unix-only users it *looks* as if it should work
with the AD or rfc2307 modules. For the other users, with the special
attributes pointing the mixed users at unix.example.com it looks like
you need the idmap script backend using ldapsearch as the solution of
last resort. The problem there are the windows-only users I guess. You
might want to ask for a special range for them in your script and use
a rid-backend like scheme to invent unix ids.

> Are there any alternatives or do we have to write our own id mapping module?

Well, idmap script is always there. Recently I've significantly tuned it
by parallelizing the calls for large tokens. Together with a long idmap
cache time it should be pretty usable. In particular the negative cache
time is just two minutes by default, you might want to extend it.

> Can sssd work for this? Does it integrate well enough with Samba as a
> member server?

Recently I've taken a closer look at sssd, but I did not find out yet how
to really properly integrate those two in more complex environments. You
should open a call with RedHat for deeper questions about this I guess.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de



More information about the samba-technical mailing list