[Samba] Samba-Guide chapter 10

Dr. Matthias Schlett (987) m.schlett at fz-rossendorf.de
Tue Mar 29 16:56:06 GMT 2005

Hi John T. et al.,
here is my comment about the Samba-Guide chapter 10.
In my opinion this chapter is a good place to explain the nature of Samba:
joining the unix and the windows world by mapping.
In most of the cases discussed on this list a unix server is used only as a container
for the windows world. The Samba team tries to smooth the differences between unix and
windows and to put windows functionality into unix. For me everything is merged into one big cloud.
As an administrator I want to look behind the scene and to understand the different cases
which Samba as an all-purpose software can serve for.
We don't use Samba as a general tool for everything. For the user and group management we have
an external Oracle database. From this database we feed a mixed mode AD for the windows world
and a LDAP for the unix world using there nss_ldap.
A windowsusername = DOMAIN\unixusername and some windowsgroupname = DOMAIN\unixgroupname,
some windowsgroupnames differ from unixgroupnames. Both group membership trees are identical
( LDAP supports nested unix groups). The password entries for unix and windows are managed by
the external database. 
On our NFS and CIFS fileserver both worlds get in touch with the help of winbind:
the idmap backend on a LDAP server is also feeded by our database, winbind has only to 
read the mappings. We don't use winbind for name resolution or automatic creation of uid/gid.

In chapter 10 there are some common phrases about the winbind role, but in my opinion
we need a more detailed explanation how it manages the mapping in different cases.
More general, I would like to have a chapter from the mapping viewpoint.
For my particular case I had to read many different places in the documentation
(and I'm reading it the third month) to find a working configuration (which I'll send to the
list if you would like ), but there are still some open questions:

- Must the idmap be a one-to-one mapping or can several sid point to one uid/gid ?
  or is the username map the only tool in this case (and what about a groupname map ) ?
- Why does the user mapping mechanism differ from the group mapping mechanism ?
- How is a windows group membership mapped automatically to a unix membership 
  (We do it by the external database) ?
- How are the 14 different windows security attributes mapped into the Posix ACLs and
  how are the Posix ACLs displayed in windows ?

I hope this email is not too confusingly, but I tried be short.

More information about the samba mailing list