[Samba] Re: winbind - not ready for prime time

Mon Feb 18 02:03:16 GMT 2008

Christian McHugh wrote:
> Guido Lorenzutti wrote:
>> Jeremy Allison wrote:
>>  
>>>
>>> If you have a specific issue, ask it. If you have a specific
>>> bug, report it. You did none of those things.
>>>     
>>
>> Im not a developer, Im a sysadmin and I been using samba for a lot of
>> years know.
>> When I read the post, I wasn't going to answear, 'coz I didn't feel
>> related to the subject.
>>
>> I think I have a little experience in Samba and Winbind. If you need
>> someone to write examples, docs, manpages, etc.. I don't have any
>> problem to fill the blanks. Just tell me where I should start.
>>
>>   
> 
> Well, in an attempt at raising the signal to noise ratio, I've
> personally had problems deciphering exactly how to use winbind with
> idmap_ad.
>  - In the smb.conf do I have an idmap decleration per domain, or is the
> example given in the man page "ALLDOMAINS" acceptable?
>  - (As mentioned in an unanswered mail to this list) How do I go about
> compiling the rfc2307 module, either statically or dynamiclly?
> 
> Once I get past the rfc2307 compile question, I think I'll have more
> questions. But since I don't have winbind running well in my environment
> (yet) I can bring those up later.

My 2 cents.  Open Source used to mean just that.  The source was public.
 Anyone can read it.  Howtos were generally created by users that wanted
to give back to the community, not usually developers.

My observation is non-developers frequently confuse documenting samba
with documenting MS windows (c).  As the recent EC decision indicates,
MS has been reluctant to document their product.  Don't blame the samba
team for the MS lack of transparency.

As far as compiling idmap_ad goes, look in the supplied configure script.

# Check whether --with-shared-modules or --without-shared-modules was given.
if test "${with_shared_modules+set}" = set; then
  withval="$with_shared_modules"
   if test $withval; then
        for i in `echo $withval | sed -e 's/,/ /g'`
        do
                        eval MODULE_$i=SHARED
        done
fi
fi;

Then grep the file "grep MODULE_idmap_ configure"

MODULE_idmap_tdb=STATIC
MODULE_idmap_passdb=STATIC
MODULE_idmap_nss=STATIC
        if test "$MODULE_idmap_ldap"; then
                DEST=$MODULE_idmap_ldap
        if test "$MODULE_idmap_tdb"; then
                DEST=$MODULE_idmap_tdb
        if test "$MODULE_idmap_passdb"; then
                DEST=$MODULE_idmap_passdb
        if test "$MODULE_idmap_nss"; then
                DEST=$MODULE_idmap_nss
        if test "$MODULE_idmap_rid"; then
                DEST=$MODULE_idmap_rid
        if test "$MODULE_idmap_ad"; then
                DEST=$MODULE_idmap_ad

There you have it.

--with-shared-modules=idmap_ldap,idmap_tdb,idmap_passdb,idmap_nss,idmap_rid,idmap_ad

Just pick the ones you want.  idmap_ad includes support for both SFU and
rfc2307.  I once tried to compile idmap_ad as a static module and core
dumpped.  Maybe it's changed but I don't think so.  If your OS has
issues with dynamic modules, you'll probably have to fix it yourself
either thru support with the OS vendor or modifying the samba code.

As far as rfc2307 support goes:

find .|grep idmap_ad
./nsswitch/.svn/prop-base/idmap_ad.c.svn-base
./nsswitch/.svn/props/idmap_ad.c.svn-work
./nsswitch/.svn/text-base/idmap_ad.c.svn-base
./nsswitch/idmap_ad.c

less nsswitch/idmap_ad.c

Second line:
/*
 *  idmap_ad: map between Active Directory and RFC 2307 or "Services for
Unix" (SFU) Accounts

There is a document "A new IDMAP subsystem" on the samba website that I
think is more illuminative than the manpages.

google idmap pdf site:www.samba.org

http://www.samba.org/~idra/samba3_newidmap.pdf

Regards, Doug