[Samba] Re: samaba winwind

Andreas Ladanyi knuffiandy at web.de
Mon Sep 15 20:02:57 GMT 2008

Chavez, James R. schrieb:
> Michael, Andreas, and list,
> Quick questions for clarity please. Using Winbind and having the uid and gid consistent across all linux and Solaris servers is something I have struggled with. So is it fair to say that without SFU, or extending schema with RFC2307, or using Windows 2003R2 and manually populating these Active Directory user objects with Unix attributes, you cannot manually specify which Unix uid is mapped to a Windows ID?

You can use OpenLDAP for example instead of SFU or RFC2307 extension:-)

But: Yes, this is at least my experience.

There is a "net groupmap" command which will write to the tdb database 
backend, but didnt ever used this and dont know if this command is 
relevant in this context. I remember this command is (only) used when 
setup an Samba domain controller to map the builtin windows groups 
512,513,514. Although there is no "net usermap" command.

> I ask this because in certain locations where I work we have existing Unix infrastructures based on NIS. Therefore all access to data is based upon these NIS uid and gid permissions in these environments. The Windows group has been pushing Linux out in these locations and in some cases, insisting they be joined to Active Directory, and authenticate local and SSH logins with Winbind. My issue with this is that the existing resources that the staff accesses have permissions based on NIS permissions. So when logging in with Active Directory credentials, these AD users are dynamically allocated a Unix uid by Winbind that has no longer has access to established resources based on the NIS permissions. 
> What I have done in certain areas is migrated all uid, gid, and host information from NIS into an OpenLDAP directory. Then use Kerberos (AD creds)to authenticate then map the Kerberos name to the 8 character Unix name in LDAP using PADL's nss_ldap. I could just create the LDAP usernames the same as the Kerberos names but wanted to keep with the 8 character scheme, I think AIX still has this limitation. This seems to work but if I can use Winbind to statically map existing Unix uid to Windows ID's that would be less work.
> Is there in fact a way to use Winbind and use the NIS uid and gid info that already exists? From what I have read so far all Winbind uid generation is dynamic. Please correct me if I am wrong.

We had the same constellation in our institute and we put all uids/gids 
from NIS to Active Directory  "by hand", bit by bit. About 200 users.

I dont know a way to you nis AND winbind at the same time, so the 
ActiveDirectory system will read information from NIS and put it 
together with the Windows AD information, without to migrate the uids/gids.

I hope a samba developer could answer this question positive :-)


> Thanks 
> James
> -----Original Message-----
> From: samba-bounces+james.chavez=sanmina-sci.com at lists.samba.org [mailto:samba-bounces+james.chavez=sanmina-sci.com at lists.samba.org] On Behalf Of Michael Adam
> Sent: Friday, September 12, 2008 2:19 AM
> To: Andreas Ladanyi
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Re: samaba winwind
> Hi,
> Andreas Ladanyi wrote:
>> vishesh schrieb:
>>> dear all
>>> i am running samba 3.0.28 on two server and using winbind to get 
>>> active directory users and group. the problem i facing is attach the 
>>> uid assigned for same user is diffrent on samba servers.
>> The uid saved in the Active Directory is different from the winbind 
>> Linux side ?
> No, the problem is that the uids on the two samba servers are different for the same user. This is because you are using (the default of) "idmap backend = tdb". This assigns increasing uids (per server) to users in the the order the access the server.
> If you need the same user ids, you have (at least) the following two options:
> 1. Use "idmap backend = rid". Then a user gets the the
>    uid built as LOW_RANGE_UID + RID.
>    Here LOW_RANGE_UID is the lower bound of the range
>    "idmap uid = LOW_RANGE_UID - HIGH_RANGE_UID"
>    and RID is the "relative identifyer": the user SID
>    is built as follows: DOMAIN_SID-RID. i.e. the rid
>    is the last block of digits of the user's sid, hence
>    is unique inside one domain, and users will get the
>    same uid on all samba servers using "idmap backend = rid".
>    See the man paget idmap_rid(8).
> 2. Use "idmap backend = ad":
>    When you install the SFU (Services For Unix) schema
>    extensions, then you can set unix attributes for users
>    and groups in actice directory. and the same uid is
>    obtained for users on all samba servers using this backend.
> Hope this helps,
> Michael
> --
> Michael Adam <ma at sernet.de>  <obnox at samba.org> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

More information about the samba mailing list