[Samba] Re: samaba winwind

Chavez, James R. james.chavez at sanmina-sci.com
Sun Sep 14 03:48:05 GMT 2008 

Michael, Andreas, and list,
Quick questions for clarity please. Using Winbind and having the uid and gid consistent across all linux and Solaris servers is something I have struggled with. So is it fair to say that without SFU, or extending schema with RFC2307, or using Windows 2003R2 and manually populating these Active Directory user objects with Unix attributes, you cannot manually specify which Unix uid is mapped to a Windows ID?

I ask this because in certain locations where I work we have existing Unix infrastructures based on NIS. Therefore all access to data is based upon these NIS uid and gid permissions in these environments. The Windows group has been pushing Linux out in these locations and in some cases, insisting they be joined to Active Directory, and authenticate local and SSH logins with Winbind. My issue with this is that the existing resources that the staff accesses have permissions based on NIS permissions. So when logging in with Active Directory credentials, these AD users are dynamically allocated a Unix uid by Winbind that has no longer has access to established resources based on the NIS permissions. 

What I have done in certain areas is migrated all uid, gid, and host information from NIS into an OpenLDAP directory. Then use Kerberos (AD creds)to authenticate then map the Kerberos name to the 8 character Unix name in LDAP using PADL's nss_ldap. I could just create the LDAP usernames the same as the Kerberos names but wanted to keep with the 8 character scheme, I think AIX still has this limitation. This seems to work but if I can use Winbind to statically map existing Unix uid to Windows ID's that would be less work.

Is there in fact a way to use Winbind and use the NIS uid and gid info that already exists? From what I have read so far all Winbind uid generation is dynamic. Please correct me if I am wrong.

Thanks 
James

-----Original Message-----
From: samba-bounces+james.chavez=sanmina-sci.com at lists.samba.org [mailto:samba-bounces+james.chavez=sanmina-sci.com at lists.samba.org] On Behalf Of Michael Adam
Sent: Friday, September 12, 2008 2:19 AM
To: Andreas Ladanyi
Cc: samba at lists.samba.org
Subject: Re: [Samba] Re: samaba winwind

Hi,

Andreas Ladanyi wrote:
> vishesh schrieb:
> >dear all
> >i am running samba 3.0.28 on two server and using winbind to get 
> >active directory users and group. the problem i facing is attach the 
> >uid assigned for same user is diffrent on samba servers.
> 
> The uid saved in the Active Directory is different from the winbind 
> Linux side ?

No, the problem is that the uids on the two samba servers are different for the same user. This is because you are using (the default of) "idmap backend = tdb". This assigns increasing uids (per server) to users in the the order the access the server.

If you need the same user ids, you have (at least) the following two options:

1. Use "idmap backend = rid". Then a user gets the the
   uid built as LOW_RANGE_UID + RID.
   Here LOW_RANGE_UID is the lower bound of the range
   "idmap uid = LOW_RANGE_UID - HIGH_RANGE_UID"
   and RID is the "relative identifyer": the user SID
   is built as follows: DOMAIN_SID-RID. i.e. the rid
   is the last block of digits of the user's sid, hence
   is unique inside one domain, and users will get the
   same uid on all samba servers using "idmap backend = rid".
   See the man paget idmap_rid(8).

2. Use "idmap backend = ad":
   When you install the SFU (Services For Unix) schema
   extensions, then you can set unix attributes for users
   and groups in actice directory. and the same uid is
   obtained for users on all samba servers using this backend.
  
Hope this helps,

Michael

--
Michael Adam <ma at sernet.de>  <obnox at samba.org> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

More information about the samba mailing list