[Samba] using winbind to map existing unix to AD users

[Tom Lieuallen]

Christian McHugh wrote:
> On Tuesday 24 February 2009 09:23:57 Tom Lieuallen wrote:
>> It seems winbind is the solution for this, however it seems to want to
>> generate the uids rather than using getpwent to look that up.
> 
> There are a few different plugins winbind can use to perform the uid<->sid 
> mapping. By default samba uses the tdb mapper which, as you describe, will 
> generate uid maps on the fly. In my environment we have uid/gid info populated 
> in active directory so our samba server is able to use the idmap_ad or 
> idmap_adex modules to lookup uid info from ad. Depending on your environment 
> you may be able to use the idmap_nss or idmap_ldap modules. See the idmap man 
> pages on http://us6.samba.org/samba/docs/man/manpages-3/
> 
> Christian McHugh
> Northern Arizona University

I looked at idmap_ldap and idmap_ad, but from the documentation, it 
seemed that those were just used by winbindd as a central storage 
mechanism for the mapping.  It would obviously use that for looking up 
maps that it had already defined, however it isn't clear to me how or if 
that fits in with an existing LDAP or AD account repository.  While one 
would assume those modules would be pretty similar, the little 
documentation is different.  The AD one mentions some schema, but the 
LDAP doc does not.  The AD one says it is read-only, but there is no 
mention of that with LDAP.

The docs make no mention of looking up existing (unix) UIDs.  It sounds 
like winbind still uses the configurable range of available UIDs to 
generate its own mapping (which it would refer to in the future).

Until I see some details, I'm going to assume this will be containerized 
in LDAP in its own area and not merged in with existing entries.  Plus, 
I still don't see anything to lead me to believe that it will do a 
getpwent to lookup a UID before randomly choosing a uid from the 
available range.

thanks

Tom Lieuallen