[Samba] Winbind IDMAP question.

Sat Aug 9 20:56:36 GMT 2008

Jerry,
Thanks for the reply. 
I am using pam_winbind with my Active Directory or Kerberos credentials
to login. 
I have an existing UNIX (NIS) infrastructure. We are being forced to
join our Linux boxes to AD. 
This creates a problem with unix permissions when logging into the
machines with AD credemtials since the UID is dynamically assigned from
Winbind and not valid against existing Unix permissions. 

example joe_montana at REALM which translates to DOMAIN\joe_montana. The
desired UNIX user id is jmontana.

The username map does not work in the case of logging into the box, but
does work correctly when accessing shares on the box. I am sure this is
the expected behavior of the username map. I have always used the
username map for accessing shares and not logging in.

What I want to know is in the case of logging into the box via ssh or
telnet or locally, can I control the Unix UID that Winbind assigns? Can
Winbind be configured to map my DOMAIN\jmontana AD credentials to a
local UNIX or NIS user jmontana instead of the dynamic UID? This would
alleviate the issue with permissions when logged into the box. My
reading led me to believe that using idmap_ldap made this possible but I
am unsure. Please point me in the right direction. Again I appreciate
the reply.   

Thank You
James

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at samba.org] 
Sent: Friday, August 08, 2008 4:46 AM
To: Chavez, James R.
Cc: samba at lists.samba.org
Subject: Re: [Samba] Winbind IDMAP question.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chavez, James R. wrote:
> Hello all,
> 
> I have joined my linux boxes to AD and can authenticate using Active 
> Directory usernames and passwords using Winbind.
> I want to Authenticate to AD but have that user mapped to a local Unix

> or NIS ID otherwise the AD authentication is useless and only hinders 
> with file permissions and such.

Are you asking about local login via pam_winbind?  or just via smbd?
If the latter, then the username map should solve it.  If the former,
then I could probably do this in in likewise-open using the name alias
support and some NSS ordering tricks.

PS: The same patches are pending for upstream Samba.  I just keep
getting distracted everytime I try to prepare then to push.

cheers, jerry
- --
=====================================================================
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFInDHxIR7qMdg1EfYRAuqsAKDbjZTac3IGqhBso75J1BHAO9jSOQCfUHik
NvIzOIqM5kOWKae6BjwPKyk=
=jK/y
-----END PGP SIGNATURE-----

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.