[Samba] Samba4, multi-domain Forest and Unix ID mapping

Trever L. Adams trever.adams at gmail.com
Fri Jun 13 18:59:47 GMT 2008

Charlie wrote:
> When you say "forest" are you referring to a user authentication
> database implementing multiple linked lists that do not share a common
> root?
First, thank you for responding. I must also say I have been out of 
Windows land for some time. I last really messed with Windows Networking 
around NT 4.0. By Forest, I mean:
"At the top of the structure is the Forest - the collection of every 
object, its attributes, and rules (attribute syntax) in the AD. The 
forest holds one or more transitive, trust-linked Trees. A tree holds 
one or more Domains and domain trees, again linked in a transitive trust 
hierarchy. Domains are identified by their DNS name structure, the 

So, I am looking for something like:
family1.example.com (uids=1000.1999, for example)
family2.example.com (uids=2000.2999)
family3.example.com (uids=3000.3999)
family4.example.com (uids=4000.4999)
family5.example.com (uids=5000.5999)
family6.example.com (uids=6000.6999)

Where each is a separate domain that trusts the other, and is within one 
forest/tree. Also, they must use something like idmap_ldap (or the 
equivalent) in Samba4 and that mapping must be valid and usable so that 
people in each domain can log in on boxes in the other domains as Linux 
and Windows users and share files and printers without uid collisions or 
other such problems. The only exception is root (uid=0) as each family 
may or may not want root to be shared. Again, I am using the family 
example as it fits even the business cases. I am hoping that Linux users 
can login doing something like windows (user at domain or domain\user).
> Samba 3 & 4 do indeed incorporate "idmapping" which works pretty much
> as you describe.  The command syntax has grown a lot recently and has
> not yet been fully documented, but I'd say it's quite powerful.  If
> you can get your interdomain trusts set up right I think you can do
> what you want, but it's probably going to be dependent on how well you
> can control access to your directory backend.
Well, I once read that, at least at one point, idmap didn't work in this 
setup. I was wondering if it has changed (as I can no longer find the 
reference). Also, yes, these will all be Samba based domains (Active 
Directory style). All clients will likely be Vista Business or Ultimate.
> You haven't specified what directory backend you are running...
> Microsoft AD?  Novell eDirectory?  OpenLDAP?  Sun?  IBM?  Fedora DS?
> There are lots...
> --Charlie
Well, Samba 4 so, if it has an internal (I think that has been 
abandoned, but not certain) then that, OpenLDAP or Fedora DS will be the 
backend. I am leaning toward Fedora DS, but I am not certain and will 
accept suggestions.

I hope this corrects and clarifies my question enough that I can get an 
accurate response.

This is a forward looking query and I am only interested in Samba 4 as 
it must be Active Directory and Windows server free.

Thank you,
Trever Adams
> On Wed, Jun 11, 2008 at 3:33 AM, Trever L. Adams <trever.adams at gmail.com> wrote:
>> Good day,
>> I wasn't sure whether this should go to the user list or the
>> samba-technical list. I chose here based on the descriptions of the list.
>> Forgive me if my understanding of the naming is inaccurate. It is my
>> understanding that Samba3 (and I believe 4, as well) has a very powerful
>> SID<->UID mapping mechanism which will auto create the UID in a range.
>> This is what I mean by Unix ID mapping.
>> I have read that this as of yet won't work in a forest, even if the
>> organization is only one organization. I am hoping this isn't true.
>> I am beginning to look at Samba4 for future implementations within
>> organizations I do work for. However, it appears I will need multiple
>> domain in one forest functionality. Is this implemented or at least planned?
>> If it is implemented/planned is it possible to do the automatic Unix ID
>> mapping per above? If it is all one domain, is it possible to do this if
>> all the domain controllers/active directory machines are Samba 4?
>> Basically, can each domain have its own UID mapping setup and they will
>> work in the forest IF, and ONLY IF, the UID mapping doesn't overlap? The
>> exact mechanism my questions may bring into mind may be bad.
>> Here is the situation, explained in the context of an extended family
>> network:
>> Each family has its own domain (Windows and DNS), policies, etc. Each
>> has its own file servers, mail domains (DNS), etc. Each may share file
>> and printers with other families. This needs to work in Windows and Linux.
>> However, here is the killer, root access to Linux machines is not shared
>> across domains. Nor should Windows system/net/domain admin abilities.
>> However, guests from other families (within the extended family) need to
>> be able to view the shared files as well as login (without
>> administrative privileges) on computers in the other domains (think
>> visiting family).
>> To do this, auto SID<->UID maps are a must. Domains within the forest
>> will start at 6 at least and grow from there. (This is example isn't far
>> from the kinds of things businesses and families ask me to do.)
>> Is all of this possible, planned, or just out there?
>> Thank you,
>> Trever Adams
>> P.S. Please, reply directly as well as to the list as I am not on the
>> list and only keep up from time to time.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba/attachments/20080613/4f603e30/signature.bin

More information about the samba mailing list