id mapping, rfc2307 and real customer environments
Simo
simo at samba.org
Wed May 18 13:06:06 UTC 2016
On Tue, 2016-05-17 at 15:06 -0700, Richard Sharpe wrote:
> Hi folks,
>
> We have a customer environment where all the UNIX users are isolated
> in a special domain, lets call it UNIX.EXAMPLE.COM. They also have
> their Windows users scattered around domains like COAL.EXAMPLE.COM
> and
> GAS.EXAMPLE.COM. Those users who have both UNIX and Windows accounts
> have their RFC2307 attributes in UNIX.EXAMPLE.COM and attributes on
> their account in their home domain that points to their account in
> the
> UNIX.EXAMPLE.COM.
Whoever did this configuration should be given a prize in the "keeping
job security" category :-)
> Sigh.
>
> This means that during id mapping we would have to extract the
> attribute that points to their UNIX.EXAMPLE.COM account from their
> home domain, then lookup the uidNumber and whatever for that account
> in the UNIX.EXAMPLE.COM account.
>
> Even worse, users who do not have UNIX accounts do not have an entry
> in UNIX.EXAMPLE.COM.
>
> It would seem that the rfc2307 id mapping module is not going to be
> able to deal with such a setup.
>
> Are there any alternatives or do we have to write our own id mapping
> module?
It's a good guess you'd have to.
> Can sssd work for this? Does it integrate well enough with Samba as a
> member server?
SSSD does not have code to look one bit of info in one entry and
another in a completely different entry for the same user. We can do ID
overrides when SSSD is part of a FreeIPA domain and trust Active
Directory domains, but then the overrides must be in FreeIPA.
sssd works ok with samba servers, but we are not there 100% for all use
cases, for example sssd does not support NTLM auth, which has to be
provided by Windbind.
Simo.
More information about the samba-technical
mailing list